Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Cross-Frame Scripting protection in logon application, SAP security note 1651004

Description

This security note has been updated. For more detailed information, see
Security Note 1716165 and Security Note 1839511.

The SAP logon application can be abused by an attacker, allowing them to gain access to data entered in the different pages of the logon application by a legitimate user.

Available fix and Supported packages

  • EPBC2 | 7.00 | 7.02
  • EP-PSERV | 6.0_640 | 6.0_640
  • SAP-JEE | 6.40 | 6.40
  • SAP-JEE | 7.00 | 7.02
  • SAP_JTECHS | 6.40 | 6.40
  • SAP_JTECHS | 7.00 | 7.02
  • SAP-JEECOR | 7.00 | 7.00
  • SAP-JEECOR | 6.40 | 6.40
  • SAP-JEECOR | 7.01 | 7.02
  • SERVERCORE | 7.10 | 7.10
  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • J2EE-APPS | 7.10 | 7.11
  • J2EE-APPS | 7.20 | 7.20
  • J2EE-APPS | 7.30 | 7.30
  • J2EE-APPS | 7.31 | 7.31
  • J2EE ENGINE APPLICATIONS 7.10 | SP011 | 000005
  • J2EE ENGINE APPLICATIONS 7.10 | SP012 | 000004
  • J2EE ENGINE APPLICATIONS 7.10 | SP013 | 000001
  • J2EE ENGINE APPLICATIONS 7.10 | SP014 | 000001
  • J2EE ENGINE APPLICATIONS 7.10 | SP015 | 000000
  • J2EE ENGINE APPLICATIONS 7.11 | SP005 | 000018
  • J2EE ENGINE APPLICATIONS 7.11 | SP006 | 000010
  • J2EE ENGINE APPLICATIONS 7.11 | SP007 | 000007
  • J2EE ENGINE APPLICATIONS 7.11 | SP008 | 000003
  • J2EE ENGINE APPLICATIONS 7.11 | SP009 | 000000
  • J2EE ENGINE APPLICATIONS 7.20 | SP003 | 000015
  • J2EE ENGINE APPLICATIONS 7.20 | SP004 | 000012
  • J2EE ENGINE APPLICATIONS 7.20 | SP005 | 000005
  • J2EE ENGINE APPLICATIONS 7.20 | SP006 | 000002
  • J2EE ENGINE APPLICATIONS 7.20 | SP007 | 000000
  • J2EE ENGINE APPLICATIONS 7.30 | SP001 | 000007
  • J2EE ENGINE APPLICATIONS 7.30 | SP002 | 000007
  • J2EE ENGINE APPLICATIONS 7.30 | SP003 | 000003
  • J2EE ENGINE APPLICATIONS 7.30 | SP004 | 000002
  • J2EE ENGINE APPLICATIONS 7.30 | SP005 | 000002

Affected component

    BC-JAS-SEC
    Security, User Management

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1651004

TAGS

#cross-frame-scripting
#XFS
#logon-application

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.