Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1511203-5)
SAP Support Packages
(SAPKA64028, SAPKA70024, SAPKA70109, SAPKA70206, SAPKA71012, SAPKA71107, SAPKA73002)
Описание
SAP_ABA executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
The correction will be delivered with Support Package. The relationship between the Support Package and the technical name given under "Support Packages" is described in SAP note 1232082.
As alternative you can implement the correction instructions:
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report RH_XSRF_PARAM_SAP_ABA_ITS in your system.
3. Execute the report and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
As alternative you can implement the correction instructions:
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report RH_XSRF_PARAM_SAP_ABA_ITS in your system.
3. Execute the report and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки
