• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1592426 - PI SEC: Unauthorized use of administrative functions in PI

Главная Специалистам База уязвимостей Note 1592426 - PI SEC: Unauthorized use of administrative functions in PI

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1592426-2) SAP Support Packages (SAPKB64030, SAPKB70026, SAPKB70111, SAPKB70211, SAPKB71014, SAPKB71109, SAPKB73007, SAPKB73101, XI_ADAPTER_FRAMEWORK_30_SP030_000000, XI_ADAPTER_FRAMEWORK_30_SP999999_999999, XI_ADAPTER_FRAMEWORK_700_SP027_000000, XI_ADAPTER_FRAMEWORK_700_SP999999_999999, XI_ADAPTER_FRAMEWORK_701_SP011_000000, XI_ADAPTER_FRAMEWORK_701_SP012_000000, XI_ADAPTER_FRAMEWORK_701_SP999999_999999, XI_ADAPTER_FRAMEWORK_702_SP011_000000, XI_ADAPTER_FRAMEWORK_702_SP012_000000, XI_ADAPTER_FRAMEWORK_702_SP999999_999999, XI_ADAPTER_FRAMEWORK_710_SP014_000000, XI_ADAPTER_FRAMEWORK_710_SP015_000000, XI_ADAPTER_FRAMEWORK_710_SP999999_999999, XI_ADAPTER_FRAMEWORK_711_SP009_000000, XI_ADAPTER_FRAMEWORK_711_SP999999_999999, XI_ADAPTER_FRAMEWORK_730_SP004_000000, XI_ADAPTER_FRAMEWORK_730_SP007_000000, XI_ADAPTER_FRAMEWORK_730_SP999999_999999, XI_ADAPTER_FRAMEWORK_731_SP000_000000, XI_ADAPTER_FRAMEWORK_731_SP003_000000, XI_ADAPTER_FRAMEWORK_731_SP999999_999999, XI_TOOLS_700_SP027_000000, XI_TOOLS_700_SP999999_999999, XI_TOOLS_701_SP011_000000, XI_TOOLS_701_SP012_000000, XI_TOOLS_701_SP999999_999999, XI_TOOLS_702_SP011_000000, XI_TOOLS_702_SP012_000000, XI_TOOLS_702_SP999999_999999, XI_TOOLS_710_SP014_000000, XI_TOOLS_710_SP999999_999999, XI_TOOLS_711_SP009_000000, XI_TOOLS_711_SP999999_999999, XI_TOOLS_730_SP004_000000, XI_TOOLS_730_SP999999_999999, XI_TOOLS_731_SP000_000000, XI_TOOLS_731_SP999999_999999)
Описание
PI Adapter Framework executes certain functions by referencing specific  URLs. When malicious user tricks an authenticated user's browser into  making a request containing a certain URL and specific parameters, the  function is executed with the rights of the authenticated user. The  malicious user may use a cross-site scripting attack to do this, or they may present a link to the victim.

As part of the changes, the ABAP role SAP_XI_ID_SERV_USER was enhanced  with the authorization object S_ICF and attributes ICF_FIELD=SERVICE, ICF_VALUE=XICACHE.
Как исправить
This is fixed with the referenced Support Packages and Patches of Software Components 'XI ADAPTER FRAMEWORK' (SAP_XIAF), 'XI TOOLS' (SAPXITOOL), and SAP_BASIS.
Ссылки