Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1514483-6)
SAP Support Packages
(SAPK-50081INEAHRGXX, SAPK-60064INEAHRGXX, SAPK-60243INEAHRGXX, SAPK-60338INEAHRGXX, SAPK-60430INEAHRGXX, SAPK-60505INEAHRGXX)
Описание
EA-HR executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user's browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to note 1481392 for additional information and instructions. The corrections from note 1481392 are a prerequisite for implementation of this note.
2. Implement the correction instructions of this note. This will also create the report RH_XSRF_PARAM_EA_HR_ITS (RH_XSRF_PARAM_EAHR_ITS in Release 500) in your system.
3. Execute the report in the development system and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
2. Implement the correction instructions of this note. This will also create the report RH_XSRF_PARAM_EA_HR_ITS (RH_XSRF_PARAM_EAHR_ITS in Release 500) in your system.
3. Execute the report in the development system and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки