• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1525156

Главная Специалистам База уязвимостей Не установлено обновление Note 1525156

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1525156-1) SAP Support Packages (SAP_J2EE_ENGINE_640_SP025_000006, SAP_J2EE_ENGINE_640_SP026_000003, SAP_J2EE_ENGINE_640_SP027_000001, SAP_J2EE_ENGINE_640_SP028_000000, SAP_J2EE_ENGINE_640_SP999999_999999, SAP_JAVA_TECH_SERVICES_700_SP019_000023, SAP_JAVA_TECH_SERVICES_700_SP020_000020, SAP_JAVA_TECH_SERVICES_700_SP021_000019, SAP_JAVA_TECH_SERVICES_700_SP022_000009, SAP_JAVA_TECH_SERVICES_700_SP024_000000, SAP_JAVA_TECH_SERVICES_700_SP999999_999999, SAP_JAVA_TECH_SERVICES_701_SP005_000020, SAP_JAVA_TECH_SERVICES_701_SP006_000018, SAP_JAVA_TECH_SERVICES_701_SP007_000005, SAP_JAVA_TECH_SERVICES_701_SP009_000000, SAP_JAVA_TECH_SERVICES_701_SP999999_999999, SAP_JAVA_TECH_SERVICES_702_SP003_000010, SAP_JAVA_TECH_SERVICES_702_SP004_000007, SAP_JAVA_TECH_SERVICES_702_SP005_000001, SAP_JAVA_TECH_SERVICES_702_SP006_000000, SAP_JAVA_TECH_SERVICES_702_SP007_000000, SAP_JAVA_TECH_SERVICES_702_SP999999_999999, SAP_TECH_S_700_OFFLINE_SP019_000016, SAP_TECH_S_700_OFFLINE_SP020_000015, SAP_TECH_S_700_OFFLINE_SP021_000009, SAP_TECH_S_700_OFFLINE_SP022_000004, SAP_TECH_S_700_OFFLINE_SP024_000000, SAP_TECH_S_700_OFFLINE_SP999999_999999, SAP_TECH_S_OFFLINE_701_SP005_000016, SAP_TECH_S_OFFLINE_701_SP006_000009, SAP_TECH_S_OFFLINE_701_SP007_000003, SAP_TECH_S_OFFLINE_701_SP009_000000, SAP_TECH_S_OFFLINE_701_SP999999_999999, SAP_TECH_S_OFFLINE_702_SP003_000004, SAP_TECH_S_OFFLINE_702_SP004_000004, SAP_TECH_S_OFFLINE_702_SP005_000002, SAP_TECH_S_OFFLINE_702_SP006_000000, SAP_TECH_S_OFFLINE_702_SP007_000000, SAP_TECH_S_OFFLINE_702_SP999999_999999, WEB_DYNPRO_RUNTIME_710_SP008_000014, WEB_DYNPRO_RUNTIME_710_SP009_000008, WEB_DYNPRO_RUNTIME_710_SP010_000004, WEB_DYNPRO_RUNTIME_710_SP011_000001, WEB_DYNPRO_RUNTIME_710_SP012_000000, WEB_DYNPRO_RUNTIME_710_SP999999_999999, WEB_DYNPRO_RUNTIME_711_SP003_000013, WEB_DYNPRO_RUNTIME_711_SP004_000013, WEB_DYNPRO_RUNTIME_711_SP005_000005, WEB_DYNPRO_RUNTIME_711_SP006_000000, WEB_DYNPRO_RUNTIME_711_SP007_000000, WEB_DYNPRO_RUNTIME_711_SP999999_999999, WEB_DYNPRO_RUNTIME_720_SP001_000005, WEB_DYNPRO_RUNTIME_720_SP002_000005, WEB_DYNPRO_RUNTIME_720_SP003_000003, WEB_DYNPRO_RUNTIME_720_SP004_000000, WEB_DYNPRO_RUNTIME_720_SP005_000000, WEB_DYNPRO_RUNTIME_720_SP999999_999999)
Описание
The WebDynpro Framework do not sufficiently encode input parameters,  resulting in a reflected cross-site scripting issue. A reflected  cross-site scripting attack can be used to non-permanently deface or  modify displayed content from a web site. Reflected cross-site scripting  can be used to steal another user's authentication information, such as  data relating to their current session. An attacker who gains access to  this data could use it to impersonate the user and access all  information with the same rights as the target user. If an administrator  is impersonated, the application's security could be fully compromised.
Как исправить
The issue described above will be fixed by a WebDynpro for Java patch.
In section "SP Patch Level" you can find information which patches contain the respective correction.
Please install this patch or a newer one (WD-RUNTIME and FRAMEWORK patches are always cumulative).

If the section "SP Patch Level" is not available or the information about which patch contains the correction is missing, this means that this has not been determined, yet. In this case please re-check this note at a later point of time.
Downloading WebDynpro for Java Patches
All WebDynpro for Java patches are available on SAP Service Marketplace.
Note 330793 explains how to download patches from SAP Service Marketplace.
Note 1395865 explains how to find the Web Dynpro for Java related SCAs.
Ссылки