Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

CRM ABAP solution Display orders of other users possible, SAP security note 625135

Description

Due to a technical problem, an Internet user can display all sales orders in the system.
For the Java-based SAP Internet Sales application, this only applies to the B2C scenario.
For the ITS-based SAP Internet Sales application, this only applies if the ~multiinstanceservices parameter is specified with ‘0’ in the service file (<ITS-Instanz>\services\isas of2c.srvc (isas of2b oder global), also see Note 416209). In this case, both scenario B2C and B2B are affected.

Available fix and Supported packages

  • BBPCRM | 20B | 20C
  • BBPCRM | 300 | 300
  • BBPCRM | 310 | 310
  • BBPCRM | 400 | 400
  • BBPCRM 300 | SAPKU30016 |
  • BBPCRM 20B | SAPKU20B30 |
  • BBPCRM 310 | SAPKU31006 |
  • BBPCRM 20C | SAPKU20C23 |
  • BBPCRM 400 | SAPKU40002 |

Affected component

    CRM-ISA
    Internet Sales

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/625135

TAGS

#SAP-Internet-Sales
#security
#security-gap
#order-status
#ISAS-OF2B

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN