Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1506350-5)
SAP Support Packages
(SAPKH50024, SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60503, SAPKH60504)
Описание
FI-AA executes certain internet services through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
Как исправить
1. See Note 1481392 for additional information and instructions. The correction instructions contained in Note 1481392 must be implemented before you implement this note.
2. Implement the correction instructions and create the report ITS_XSRF_PARAM_FIAA_ALL in your system.
3. Execute the report ITS_XSRF_PARAM_FIAA_ALL and enter a relevant transport request, when prompted. The report inserts some service parameters for the adjusted ITS services (these are usually entered by choosing the button for the GUI settings in transaction SICF for maintaining ITS services).
2. Implement the correction instructions and create the report ITS_XSRF_PARAM_FIAA_ALL in your system.
3. Execute the report ITS_XSRF_PARAM_FIAA_ALL and enter a relevant transport request, when prompted. The report inserts some service parameters for the adjusted ITS services (these are usually entered by choosing the button for the GUI settings in transaction SICF for maintaining ITS services).
Ссылки