Skip links
RedRays - Your SAP Security Solution
RedRays SAP Security Team

RedRays SAP Security Team

Security gap in Cross-Site-Scripting, SAP security note 960728

Description

When you call SAP E-Recruiting or when SAP E-Recruiting is running, any JavaScript code can be executed using the URL parameter sap_bsp_fw_active.

To do this, proceed as follows: Attach the character string “&sap_bsp_fw_active=true’);alert(‘XSS’);//” to the URL in the address row of the browser (without the quotes!).
When you start the URL after doing this, you will see that the JavaScript code was carried out. A JavaScript alert with the text “XSS!” appears.

Available fix and Supported packages

  • ERECRUIT | 300 | 300
  • ERECRUIT | 600 | 600
  • ERECRUIT 300 | SAPK-30014INERECRUIT |
  • ERECRUIT 600 | SAPK-60006INERECRUIT |

Affected component

    PA-ER
    E-Recruiting

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/960728

TAGS

#CL_HRRCF_BSP_EXT_FRAMEWORK

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

May 14, 2024

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

May 14, 2024

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error