Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(866020-20)
SAP Support Packages
(SAPKB64014, SAPKB64015, SAPKB64016, SAPKB64019, SAPKB70005, SAPKB70006, SAPKB70011)
Описание
User input using a Web front end, or input in general from user input and log files, is displayed directly. This means that it is possible to unintentionally execute external source code (such as JavaScript) in an application.
Как исправить
Any external user input or content that comes from external sources, such as log files, should, when displayed in a Web browser, be changed into a format that can be displayed in a browser.
SAP therefore has created a number of encoding methods that encode according to OWASP rules (for more information, see the OWASP XSS Prevention Cheat Sheet).
ABAP (SAP Note1582870):
The class CL_ABAP_DYN_PRG contains the XSS encoding methods. See also security note 1487337.
C/C++(SAP Note 1582867):
These functions are available only within SAP. Create a customer message for BC-SEC.
Java (SAP Note 1590008):
The security. class of the J2EE library and JEE library (to be more precise: the JAR file tc_sec_csi.jar)
The functions are generally available as of the releases specified on the "SP Patch Level" tab page in the related SAP notes 1582868, 1582870 and 1590008.
SAP therefore has created a number of encoding methods that encode according to OWASP rules (for more information, see the OWASP XSS Prevention Cheat Sheet).
ABAP (SAP Note1582870):
The class CL_ABAP_DYN_PRG contains the XSS encoding methods. See also security note 1487337.
C/C++(SAP Note 1582867):
These functions are available only within SAP. Create a customer message for BC-SEC.
Java (SAP Note 1590008):
The security. class of the J2EE library and JEE library (to be more precise: the JAR file tc_sec_csi.jar)
The functions are generally available as of the releases specified on the "SP Patch Level" tab page in the related SAP notes 1582868, 1582870 and 1590008.
Ссылки