Skip links

CVE-2019-0388 Content spoofing vulnerability in UI5 HTTP Handler, SAP security note 2843016

Description

UPDATE 26th January 2021: We made few minor textual changes in the note. There have not been any changes done, which require customer action.

UPDATE 14th January 2020: This note has been re-released with updated “Manual Pre-Implementation Steps” step 6 and “Manual Post-Implementation Steps” step 3 (in releases where available).

UI5 HTTP Handler allows an attacker to manipulate content due to insufficient URL validation. Some well-known impacts of the vulnerability are:

  • phishing attacks to steal credentials of the victim
  • redirect users to untrusted webpages containing malware or similar malicious exploits
  • providing false information to the victim

Available fix and Supported packages

  • SAP_UI | 750 | 750
  • SAP_UI | 751 | 751
  • SAP_UI | 752 | 752
  • SAP_UI | 753 | 753
  • SAP_UI | 754 | 754
  • UI_700 | 200 | 200
  • SAP_UI 750 | SAPK-75016INSAPUI |
  • SAP_UI 753 | SAPK-75305INSAPUI |
  • SAP_UI 754 | SAPK-75401INSAPUI |
  • SAP_UI 751 | SAPK-75112INSAPUI |
  • SAP_UI 752 | SAPK-75209INSAPUI |
  • UI_700 200 | SAPK-20016INUI700 |

Affected component

    CA-UI5-DLV
    UI5 ABAP delivery tools

CVSS

Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2843016

TAGS

#Content-spoofing
#Phishing-attack
#&160-UI5-handler
#&160-CVE-2019-0388

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error