The F4 functionality in WEBCUIF and CRMUIF contains code which allows to execute arbitrary simple Search Help that was not provided directly by an application by means of a normal V-Getter. If such a Search Help has no built in authorization mechanism (e.g. if it is a DDIC Search Help), the execution will be possible and the data displayed to the originator of the request. However, there is no possibility to change data. Furthermore, such unauthorized display impacts only master data and in very limited cases where there is no possibility to add authorization checks inside the Search Help.
Available fix and Supported packages
- CRMUIF | 600 | 600
- WEBCUIF | 700 | 700
- WEBCUIF | 701 | 701
- WEBCUIF | 730 | 730
- CRMUIF 600 | SAPK-60011INCRMUIF |
- WEBCUIF 700 | SAPK-70009INWEBCUIF |
- WEBCUIF 701 | SAPK-70103INWEBCUIF |
- WEBCUIF 730 | SAPK-73001INWEBCUIF |
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.