Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

Security XSS vulnerability in ITS 6.20, SAP security note 1385621

Description

ITS 6.20 contains a cross-site scripting (XSS) vulnerability on the login page. If you select a service name that contains specially encoded characters instead of the service name such as WEBGUI, the JavaScript code that is contained in this can be executed in the context of the login page.

Credits to Erwin Paternotte, Fox-IT BV (https://www.fox-it.com) who reported this issue to SAP.

Available fix and Supported packages

  • BC-FES-ITS | 620 | 620
  • SAP ITS 6.20 | SP035 | 000035

Affected component

    BC-FES-ITS
    SAP Internet Transaction Server

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1385621

TAGS

#XSS
#Cross-Site-Scripting
#security

Explore More