• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1510356

Главная Специалистам База уязвимостей Не установлено обновление Note 1510356

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1510356-5) SAP Support Packages (SAPK-60209INEAAPPL, SAPK-60308INEAAPPL, SAPK-60409INEAAPPL, SAPK-60503INEAAPPL, SAPK-60504INEAAPPL, SAPKGPAC25, SAPKGPAD19, SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60503, SAPKH60504)
Описание
ISR executes certain functions through referencing specific URLs. When  an attacker tricks an authenticated user's browser into making a request  containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to  trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. See Note 1481392 for additional information and instructions. The correction instructions contained in Note 1481392 must be implemented before you implement this note.
2. Implement the correction instructions and create the reports ITS_XSRF_PARAM_ISR and ITS_XSRF_PARAM_ISR_EA_APPL as a local object in your system.
3. Execute the reports ITS_XSRF_PARAM_ISR and ITS_XSRF_PARAM_ISR_EA_APPL and enter a relevant transport request, when prompted. The report inserts some service parameters for the adjusted ITS services (these are usually entered by choosing the button for the GUI settings in transaction SICF for maintaining ITS services).
Ссылки