Description
When you call SAP E-Recruiting or when SAP E-Recruiting is running, any JavaScript code can be executed using the URL parameter sap_bsp_fw_active.
To do this, proceed as follows: Attach the character string “&sap_bsp_fw_active=true’);alert(‘XSS’);//” to the URL in the address row of the browser (without the quotes!).
When you start the URL after doing this, you will see that the JavaScript code was carried out. A JavaScript alert with the text “XSS!” appears.
Available fix and Supported packages
- ERECRUIT | 300 | 300
- ERECRUIT | 600 | 600
- ERECRUIT 300 | SAPK-30014INERECRUIT |
- ERECRUIT 600 | SAPK-60006INERECRUIT |
Affected component
- PA-ER
E-Recruiting
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/960728