Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1509886-3)
SAP Support Packages
(SAPK-60019ININSURANC, SAPK-60209ININSURANC, SAPK-60308ININSURANC, SAPK-60409ININSURANC, SAPK-60503ININSURANC, SAPK-60504ININSURANC, SAPKIPIN21)
Описание
The italian agency collection BSP application executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user's browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
Implementation of the correction described in this note. For lower releases than INSURANCE 6.05 see the instruction below.
The solution is not working if BSP design 'DESIGN2002' is used. For the italian agency collection the design can be set per user by usage of the user parameter ID ITAGCY_DESIGN. There's also the BSP application ITAGCY_USERDATA available where users can change the design manually.
See also note 1509885 which provides the BSP design 'DESIGN2008'.
It is only possible to access the application via the start page index.htm. The access via the controller main.do is no longer supported.
The solution is not working if BSP design 'DESIGN2002' is used. For the italian agency collection the design can be set per user by usage of the user parameter ID ITAGCY_DESIGN. There's also the BSP application ITAGCY_USERDATA available where users can change the design manually.
See also note 1509885 which provides the BSP design 'DESIGN2008'.
It is only possible to access the application via the start page index.htm. The access via the controller main.do is no longer supported.
Ссылки