Skip links

CRM ABAP solution Display orders of other users possible, SAP security note 625135

Description

Due to a technical problem, an Internet user can display all sales orders in the system.
For the Java-based SAP Internet Sales application, this only applies to the B2C scenario.
For the ITS-based SAP Internet Sales application, this only applies if the ~multiinstanceservices parameter is specified with ‘0’ in the service file (<ITS-Instanz>\services\isas of2c.srvc (isas of2b oder global), also see Note 416209). In this case, both scenario B2C and B2B are affected.

Available fix and Supported packages

  • BBPCRM | 20B | 20C
  • BBPCRM | 300 | 300
  • BBPCRM | 310 | 310
  • BBPCRM | 400 | 400
  • BBPCRM 300 | SAPKU30016 |
  • BBPCRM 20B | SAPKU20B30 |
  • BBPCRM 310 | SAPKU31006 |
  • BBPCRM 20C | SAPKU20C23 |
  • BBPCRM 400 | SAPKU40002 |

Affected component

    CRM-ISA
    Internet Sales

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/625135

TAGS

#SAP-Internet-Sales
#security
#security-gap
#order-status
#ISAS-OF2B

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error