Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1511594-5)
SAP Support Packages
(SAPK-60019INECCDIMP, SAPK-60209INECCDIMP, SAPK-60308INECCDIMP, SAPK-60409INECCDIMP, SAPK-60503INECCDIMP, SAPKIPMH14)
Описание
BOS executes certain functions through referencing specific URLs. When an attacker tricks an authenticated users browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user. If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report RITS_XSRF_PARAM_BOS02 in your system.
3. Execute the report RITS_XSRF_PARAM_BOS02 and specify a corresponding transport request number when requested . The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
2. Implement the correction instructions of this note. This will also create the report RITS_XSRF_PARAM_BOS02 in your system.
3. Execute the report RITS_XSRF_PARAM_BOS02 and specify a corresponding transport request number when requested . The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки