Description
The Dynpro processing within SAP GUI for HTML allows an attacker to trick an authenticated user to send unintended request to the Web server. This vulnerability is due to insufficient CSRF protection.
Some well-known impacts of CSRF vulnerability are –
- Attacker could take actions on behalf of an authenticated user
- Loss of non-repudiation
Available fix and Supported packages
- KRNL64NUC | 7.42 | 7.42
- KRNL64NUC | 7.22 | 7.22
- KRNL64NUC | 7.22EXT | 7.22EXT
- KRNL64NUC | 7.49 | 7.49
- KRNL64UC | 7.42 | 7.42
- KRNL64UC | 7.22 | 7.22
- KRNL64UC | 7.22EXT | 7.22EXT
- KRNL64UC | 7.49 | 7.49
- KERNEL | 7.22 | 7.22
- KERNEL | 7.42 | 7.42
- KERNEL | 7.45 | 7.45
- KERNEL | 7.49 | 7.49
- SAP KERNEL 7.22 64-BIT | SP210 | 000210
- SAP KERNEL 7.22 64-BIT UNICODE | SP210 | 000210
- SAP KERNEL 7.22 EXT 64-BIT | SP210 | 000210
- SAP KERNEL 7.22 EXT 64-BIT UC | SP210 | 000210
- SAP KERNEL 7.42 64-BIT | SP424 | 000424
- SAP KERNEL 7.42 64-BIT | SP430 | 000430
- SAP KERNEL 7.42 64-BIT UNICODE | SP424 | 000424
- SAP KERNEL 7.42 64-BIT UNICODE | SP430 | 000430
- SAP KERNEL 7.45 64-BIT | SP310 | 000310
- SAP KERNEL 7.45 64-BIT UNICODE | SP310 | 000310
- SAP KERNEL 7.49 64-BIT UNICODE | SP009 | 000009
- SAP KERNEL 7.49 64-BIT UNICODE | SP014 | 000014
Affected component
- BC-FES-ITS
SAP Internet Transaction Server
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2316723
