Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1507940-4)
SAP Support Packages
(SAPKH50024, SAPKH50025, SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60503, SAPKH60504)
Описание
FI-AR/FI-AP executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user's browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM__FIAP_AR_ALL of the application component [replace this with your report name] in your system.
3. Execute the report ITS_XSRF_PARAM_FIAP_AR_ALL of the application component and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
2. Implement the correction instructions of this note. This will also create the report ITS_XSRF_PARAM__FIAP_AR_ALL of the application component [replace this with your report name] in your system.
3. Execute the report ITS_XSRF_PARAM_FIAP_AR_ALL of the application component and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки