Description
UPDATE 26th January 2021: We made few minor textual changes in the note. There have not been any changes done, which require customer action.
UPDATE 14th January 2020: This note has been re-released with updated “Manual Pre-Implementation Steps” step 6 and “Manual Post-Implementation Steps” step 3 (in releases where available).
UI5 HTTP Handler allows an attacker to manipulate content due to insufficient URL validation. Some well-known impacts of the vulnerability are:
- phishing attacks to steal credentials of the victim
- redirect users to untrusted webpages containing malware or similar malicious exploits
- providing false information to the victim
Available fix and Supported packages
- SAP_UI | 750 | 750
- SAP_UI | 751 | 751
- SAP_UI | 752 | 752
- SAP_UI | 753 | 753
- SAP_UI | 754 | 754
- UI_700 | 200 | 200
- SAP_UI 750 | SAPK-75016INSAPUI |
- SAP_UI 753 | SAPK-75305INSAPUI |
- SAP_UI 754 | SAPK-75401INSAPUI |
- SAP_UI 751 | SAPK-75112INSAPUI |
- SAP_UI 752 | SAPK-75209INSAPUI |
- UI_700 200 | SAPK-20016INUI700 |
Affected component
- CA-UI5-DLV
UI5 ABAP delivery tools
CVSS
Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2843016
