Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Security XML generation encoded for OLTP data generation, SAP security note 1493685

Description

User runs OLTP application and loads a report.  This triggers request sent to backend data provider component which requests data from BW and sends back the data to the data provider.  The data provider will take the data and render it in XML structure and send back to application front.  The code that generates XML is exploitable and needs to be prevented.

Available fix and Supported packages

  • BBPCRM | 520 | 520
  • BBPCRM | 600 | 600
  • BBPCRM | 700 | 700
  • BBPCRM | 701 | 701
  • BBPCRM 701 | SAPKU70102 |
  • BBPCRM 520 | SAPKU52011 |
  • BBPCRM 600 | SAPKU60009 |
  • BBPCRM 700 | SAPKU70009 |

Affected component

    CRM-ANA
    CRM Analytics

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1493685

TAGS

#Security
#Cross-Site-Scripting
#OLTP
#OLTP-data-provider
#BW-date
#XML-generation
#HTTP-response-header
#HTTP-response

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.