Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1681906-2)
SAP Support Packages
(712, SAPKU50021, SAPKU52011, SAPKU60011, SAPKU60012, SAPKU70011, SAPKU70012, SAPKU70108, SAPKU70109, SAPKU70203)
Описание
The BSP applications CFX, CFXML_TEST, CFX_RFC_UI, CFX_TEST_SL, CFX_TEXT, and CFX_UI2 within SRM-EBP do not sufficiently encode OUTPUT parameters, resulting in a reflected cross-site scripting issue.
The SICF services CF, CFS, FOLDER, TOPICS, and XMB_300 do not sufficiently encode OUTPUT parameters, resulting in a cross-site scripting issue. A reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content from a Web site.
Reflected cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. An attacker who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the security of the application may be fully compromised.
The SICF services CF, CFS, FOLDER, TOPICS, and XMB_300 do not sufficiently encode OUTPUT parameters, resulting in a cross-site scripting issue. A reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content from a Web site.
Reflected cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. An attacker who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the security of the application may be fully compromised.
Как исправить
Apply the correction instruction or install the related support package.
If the software component CPRXRPM is installed on your CRM system, please consider Note 1661780. This software component is the underlying component of the Add-On products SAP CPROJECT SUITE and SAP PORTFOLIO AND PROJECT MANAGEMENT.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 500 SAPKU50001 - SAPKU50020 |
| Release 520 SAPKU52001 - SAPKU52010 |
| Release 700 SAPKU70001 - SAPKU70010 |
| Release 600 SAPKU60001 - SAPKU60010 |
| Release 701 SAPKU70103 - SAPKU70107 |
| Release 702 SAPKU70201 - SAPKU70202 |
------------------------------------------------------------------------
Deletion of BSP applications:
- Start transaction 'SE80'
- Select BSP application 'CFX'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFXML_TEST'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_TEST_SL'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_TEXT'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_UI2'
- Click on the right mouse button and select 'Delete'
!!!CAUTION: You must not process following steps if the software component CPRXRPM is installed in your CRM system !!!
- Select BSP application 'CFX_RFC_UI'
- Click on the right mouse button and select 'Delete'
Deletion of SICF nodes:
- Start transaction SICF
- In the selection screen enter 'CF' in field 'Service Name'
- Select button 'Execute'
- Select SICF node 'CF' in the tree
- Select button 'Delete Service Hierarchy' and delete the SICF node
- Navigate back to the selection screen
- In the selection screen enter 'CFS' in field 'Service Name'
- Select button 'Execute'
- Select SICF node 'CFS' in the tree
- Select button 'Delete Service Hierarchy' and delete the SICF node
If the software component CPRXRPM is installed on your CRM system, please consider Note 1661780. This software component is the underlying component of the Add-On products SAP CPROJECT SUITE and SAP PORTFOLIO AND PROJECT MANAGEMENT.
------------------------------------------------------------------------
|Manual Activity |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 500 SAPKU50001 - SAPKU50020 |
| Release 520 SAPKU52001 - SAPKU52010 |
| Release 700 SAPKU70001 - SAPKU70010 |
| Release 600 SAPKU60001 - SAPKU60010 |
| Release 701 SAPKU70103 - SAPKU70107 |
| Release 702 SAPKU70201 - SAPKU70202 |
------------------------------------------------------------------------
Deletion of BSP applications:
- Start transaction 'SE80'
- Select BSP application 'CFX'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFXML_TEST'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_TEST_SL'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_TEXT'
- Click on the right mouse button and select 'Delete'
- Select BSP application 'CFX_UI2'
- Click on the right mouse button and select 'Delete'
!!!CAUTION: You must not process following steps if the software component CPRXRPM is installed in your CRM system !!!
- Select BSP application 'CFX_RFC_UI'
- Click on the right mouse button and select 'Delete'
Deletion of SICF nodes:
- Start transaction SICF
- In the selection screen enter 'CF' in field 'Service Name'
- Select button 'Execute'
- Select SICF node 'CF' in the tree
- Select button 'Delete Service Hierarchy' and delete the SICF node
- Navigate back to the selection screen
- In the selection screen enter 'CFS' in field 'Service Name'
- Select button 'Execute'
- Select SICF node 'CFS' in the tree
- Select button 'Delete Service Hierarchy' and delete the SICF node
Ссылки
