Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1509638-3)
SAP Support Packages
(SAPK-60019INISOIL, SAPK-60209INISOIL, SAPK-60308INISOIL, SAPK-60409INISOIL, SAPK-60503INISOIL, SAPK-60504INISOIL)
Описание
SAP IS-Oil Store workbench executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM_IS_OIL_SSR in your system.
3. Execute the report ITS_XSRF_PARAM_IS_OIL_SSR and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM_IS_OIL_SSR in your system.
3. Execute the report ITS_XSRF_PARAM_IS_OIL_SSR and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки