Description
Java Server Pages (JSPs) provided by the PI Integration Builder Web UI of SAP NetWeaver Process Integration does not restrict/incorrectly restricts frame objects or UI layers belonging to another application or domain, resulting in clickjacking vulnerability.
Successful exploitation of this vulnerability leads to unwanted modification of user’s data.
Available fix and Supported packages
- SAP_XIESR | 7.10 | 7.11
- SAP_XIESR | 7.20 | 7.20
- SAP_XIESR | 7.30 | 7.30
- SAP_XIESR | 7.31 | 7.31
- SAP_XIESR | 7.40 | 7.40
- SAP_XIESR | 7.50 | 7.50
- SAP_XITOOL | 7.10 | 7.11
- SAP_XITOOL | 7.30 | 7.30
- SAP_XITOOL | 7.31 | 7.31
- SAP_XITOOL | 7.40 | 7.40
- SAP_XITOOL | 7.50 | 7.50
- ESR 7.10 | SP021 | 000004
- ESR 7.10 | SP022 | 000005
- ESR 7.10 | SP023 | 000001
- ESR 7.10 | SP024 | 000000
- ESR 7.10 | SP025 | 000000
- ESR 7.11 | SP016 | 000004
- ESR 7.11 | SP017 | 000004
- ESR 7.11 | SP018 | 000001
- ESR 7.11 | SP019 | 000000
- ESR 7.11 | SP020 | 000000
- ESR 7.20 | SP009 | 000018
- ESR 7.30 | SP016 | 000005
- ESR 7.30 | SP017 | 000005
- ESR 7.30 | SP018 | 000003
- ESR 7.30 | SP019 | 000001
- ESR 7.30 | SP020 | 000000
- ESR 7.31 | SP021 | 000006
- ESR 7.31 | SP022 | 000004
- ESR 7.31 | SP023 | 000005
- ESR 7.31 | SP024 | 000002
Affected component
- BC-XI-IBF-UI
UI: Framework, Obj Lookup, Admin Pages, exchg prof
CVSS
Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2755502
