Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:M/AU:N/C:N/I:P/A:NSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1784771-3)
Описание
Some pages within BOE Xir3 web application enable a cross-domain redirection tooccur. An attacker can include a URL from a different domain in a URL of the target application, which can then be sent to a user of the target application.The user thinks that the content is from the target application, but when they visit such a page, the content is delivered from the domain chosen by the attacker.The attacker can then mimic pages of the target application (for example, a logon page) to get the victim to disclose information they would not otherwise reveal to the attacker (such as their password). This can be mitigated by restricting redirections to relative or local domains only.
Как исправить
Install FixPack 4.4 or FixPack 5.5 to apply this fix.
Ссылки