• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1526068

Главная Специалистам База уязвимостей Не установлено обновление Note 1526068

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1526068-1)
Описание
BP MSS 60.1 executes certain functions through referencing specific  URLs. When an attacker tricks an authenticated user's browser into  making a request containing a certain URL and specific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
It is recommended not to use specific iViews and HTMLB Java pages of the Business Package BP MSS 60.1 (part: My Budget) anymore due to the mentioned risks for the security. This BP is part of ERP 2004 which is based on HTMLB/Java. You are asked to delete the corrsponding iViews as described below.
As a consequence of that deletion, you all Portal Objects which are linked to one or more of these iViews have t obe adapted as well. That means the existing links to deleted iViews have to be removed as well.

Note: The part of that Business Package named "Manager Self-Service: My Staff" is not in scope of this note.

Note: In ERP 2004 the successor of Business Package BP MSS 60.1 (part: My Budget) is the Business Package mySAP ERP 2004 MSS (part: My Budget) which is also available with ERP 2004. The Latter Business Package is based on the Web Dynpro technology and should be used instead.
Ссылки