Description
This SAP Note contains fixes for security issues with the Implementation part of SAP Solution Manager (component SV-SMG-IMP*).
The following risks are addressed:
- Cross Site Scripting
The SAP Solution Manager (Implementation part) can be abused by a malicious user allowing them to modify displayed application content without authorization and to potentially obtain authentication information from other legitimate users.
- SQL injection
A malicious user can exploit SAP Solution Manager (Implementation part) using specially crafted inputs to execute arbitrary database commands to retrieve, modify, or remove data persisted by the system.
- Hard-coded user names (Backdoor)
SAP Solution Manager (Implementation part) contains code which changes the program’s behaviour when a user successfully authenticates with a certain username.
Available fix and Supported packages
- ST | 400 | 400
- ST 400 | SAPKITL433 |
Affected component
- SV-SMG-IMP
Implementation / Project and Process Management
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1418031