Skip links

Code injection vulnerability in WEBCUIF components, SAP security note 1484128

Description

The F4 functionality in WEBCUIF and CRMUIF contains code which allows to execute arbitrary simple Search Help that was not provided directly by an application by means of a normal V-Getter. If such a Search Help has no built in authorization mechanism (e.g. if it is a DDIC Search Help), the execution will be possible and the data displayed to the originator of the request. However, there is no possibility to change data. Furthermore, such unauthorized display impacts only master data and in very limited cases where there is no possibility to add authorization checks inside the Search Help.

Available fix and Supported packages

  • CRMUIF | 600 | 600
  • WEBCUIF | 700 | 700
  • WEBCUIF | 701 | 701
  • WEBCUIF | 730 | 730
  • CRMUIF 600 | SAPK-60011INCRMUIF |
  • WEBCUIF 700 | SAPK-70009INWEBCUIF |
  • WEBCUIF 701 | SAPK-70103INWEBCUIF |
  • WEBCUIF 730 | SAPK-73001INWEBCUIF |

Affected component

    CA-WUI-UI
    User Interface

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1484128

TAGS

#Search-Help-Execution
#Unauthorized-display-of-data
#backdoor
#injection
#F4
#Search-Help

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

SAP Hash Cracking Techniques

Understanding Hash Cracking Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.