Skip links

Automatic usage of Whitelist Service for Clickjacking Framing Protection in SAPUI5 Apps, SAP security note 2245332

Description

You can use the whitelist service for clickjacking framing protection described in SAP Note 2319727 to define rules for protecting web applications hosted on an SAP NetWeaver ABAP system against clickjacking attacks.

If you have configured the whitelist service, you expect that any SAPUI5 app hosted on an ABAP system is automatically protected against clickjacking attacks. This however is not the case.

Available fix and Supported packages

  • UI_INFRA | 100 | 100
  • SAP_UI | 740 | 740
  • SAP_UI | 750 | 750
  • UI_700 | 200 | 200
  • UI_INFRA 100 | SAPK-10015INUIINFRA |
  • SAP_UI 740 | SAPK-74015INSAPUI |
  • SAP_UI 750 | SAPK-75002INSAPUI |
  • UI_700 200 | SAPK-20002INUI700 |

Affected component

    CA-UI5-ABA
    ABAP (see SAP Note 2549631)

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2245332

TAGS

#UI-redressing-attack
#Clickjacking
#Framing-Protection
#Framing
#IFrame
#UI-Redressing
#Clickjacking-Whitelist
#X-FRAME-OPTIONS
#SAPUI5

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error