Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1526079-3)
SAP Support Packages
(BP_MSS_601_SP005_000023, BP_MSS_601_SP999999_999999)
Описание
Manager Self Service (MSS) 60.1 executes certain functions through referencing specific URLs. When an attacker tricks an authenticated user#s browser into making a request containing a certain URL and spe cific parameters, the function is executed with the rights of the user.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
If present, the attacker may use a Cross Site Scripting attack to trigger the exploit, or use an approach in which a link to click is presented to the victim.
Как исправить
In order to enable XSRF Protection it will be necessary to provide your J2EE Server based on NW/645 with the appropriate Support Package Level on application and basis side. In this context you have to deploy the following Minimum Support Packages State to your system:
-> MSS: BPMSS601_23
-> J2EE: NW645/SP22
Please note that Patch 23 of MSS 60.1 includes only updates in the context of XSRF Protection. Starting with Patch 23 all upcoming Support Packages of MSS will mandatory need at least NW Basis on SP level 22 or higher.
-> MSS: BPMSS601_23
-> J2EE: NW645/SP22
Please note that Patch 23 of MSS 60.1 includes only updates in the context of XSRF Protection. Starting with Patch 23 all upcoming Support Packages of MSS will mandatory need at least NW Basis on SP level 22 or higher.
Ссылки