• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1695596 - Unauthorized modification of stored content in IS-UT

Главная Специалистам База уязвимостей Note 1695596 - Unauthorized modification of stored content in IS-UT

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1695596-4) SAP Support Packages (616, SAPK-60022INFICA, SAPK-60212INFICA, SAPK-60213INFICA, SAPK-60311INFICA, SAPK-60312INFICA, SAPK-60412INFICA, SAPK-60413INFICA, SAPK-60509INFICA, SAPK-60603INFICA, SAPK-60604INFICA, SAPK-60605INFICA)
Описание
ITS Services EWHV and EWB_WEBGUI within Application Component IS-UT results in a stored cross-site scripting issue.It can be used to permanently modify displayed content from a Web site,  allowing the attacker to embed content that is rendered automatically,  without the attacker having to target victims individually.Stored cross-site scripting can also be used to steal another user's  authentication information, such as data relating to their current session.An attacker who gains access to this data may use it to impersonate the  user and access all information with the same rights as the target user.  If an administrator is impersonated, the security of the application may be fully compromised.
Как исправить
Please apply this note or import the changes via the relevant support package.The corrections of this note do only have an protecting effect, if the corrections of notes 1621946 and 1488500 are implemented.------------------------------------------------------------------------|Manual Post-Implement.                                                |------------------------------------------------------------------------|VALID FOR                                                             ||Software Component   FI-CA                          FI Contract Acc...|| Release 600          SAPK-60001INFICA - SAPK-60021INFICA             || Release 602          Until SAPK-60211INFICA                          || Release 604          SAPK-60401INFICA - SAPK-60411INFICA             || Release 603          Until SAPK-60310INFICA                          || Release 605          Until SAPK-60508INFICA                          || Release 606          SAPK-60601INFICA - SAPK-60603INFICA             |------------------------------------------------------------------------Execute the report ITS_XSS_PARAM_EWHV and specify when requested a corresponding transport request number. The report will add service parameters for the adapted ITS services (maintained via the GUI configuration pushbutton for a service within transaction SICF).
Ссылки