Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1519720-3)
SAP Support Packages
(SAPK-60209INEAAPPL, SAPK-60308INEAAPPL, SAPK-60409INEAAPPL, SAPK-60503INEAAPPL, SAPK-60504INEAAPPL, SAPKGPAC24, SAPKGPAC25, SAPKGPAD19)
Описание
The product designer UI executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and specific parameters, the function is executed with the rights of the user. If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
1. Refer to Note 1481392 for more information.
The corrections from Note 1481392 are required for this note. You must first implement the corrections from Note 1481392.
2. Implement the correction instructions from this note.
3. Execute the program ITS_XSRF_PARAM_PDN and enter a transfer order if required.
The program adds parameters to the corresponding ITS service (normally maintained using the button for the GUI configuration in transaction SICF).
The corrections from Note 1481392 are required for this note. You must first implement the corrections from Note 1481392.
2. Implement the correction instructions from this note.
3. Execute the program ITS_XSRF_PARAM_PDN and enter a transfer order if required.
The program adds parameters to the corresponding ITS service (normally maintained using the button for the GUI configuration in transaction SICF).
Ссылки