• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1514098

Главная Специалистам База уязвимостей Не установлено обновление Note 1514098

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1514098-1) SAP Support Packages (SAPKU40018, SAPKU50018, SAPKU52011, SAPKU60009, SAPKU70009, SAPKU70103)
Описание
The above mentioned BSP applications execute certain functions through  referencing specific URLs. When an attacker tricks an authenticated  user#s browser into making a request containing a certain URL and  specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1520324 for additional information and instructions. The corrections from note 1520324 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report BSP_XSRF_PARAM_CRM_MKT in your system.
3. Execute the report BSP_XSRF_PARAM_CRM_MKT and specify when requested a corresponding transport request number. The report will fill the database table BSPTEMPXSRFSTORE with corresponding table entries for the BSP applications adapted by this note.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 701 Until SAPKU70102 |
------------------------------------------------------------------------
1. Enter transaction SE80 and edit the BSP Application CARPTEST.
a) Mark the checkbox for "XSRF Protection".
b) Save and activate your changes.
2. Enter transaction SE80 and edit the BSP Application CRM_MKTTG_SEGAP.
a) Mark the checkbox for "XSRF Protection".
b) Save and activate your changes.
3. Enter transaction SE80 and edit the BSP Application CRM_MKTIMEX_MON.
a) Mark the checkbox for "XSRF Protection".
b) Save and activate your changes.
4. Enter transaction SE80 and edit the BSP Application CRM_MKTCA_UI.
a) Mark the checkbox for "XSRF Protection".
b) Save and activate your changes.
Ссылки