Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Security gap in Cross-Site-Scripting, SAP security note 960728

Description

When you call SAP E-Recruiting or when SAP E-Recruiting is running, any JavaScript code can be executed using the URL parameter sap_bsp_fw_active.

To do this, proceed as follows: Attach the character string “&sap_bsp_fw_active=true’);alert(‘XSS’);//” to the URL in the address row of the browser (without the quotes!).
When you start the URL after doing this, you will see that the JavaScript code was carried out. A JavaScript alert with the text “XSS!” appears.

Available fix and Supported packages

  • ERECRUIT | 300 | 300
  • ERECRUIT | 600 | 600
  • ERECRUIT 300 | SAPK-30014INERECRUIT |
  • ERECRUIT 600 | SAPK-60006INERECRUIT |

Affected component

    PA-ER
    E-Recruiting

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/960728

TAGS

#CL_HRRCF_BSP_EXT_FRAMEWORK

Explore More

SAP Security Patch Day RedRays

SAP Security Patch Day – April 2025

On April 8, 2025, SAP released its monthly Security Patch Day updates, addressing 19 new vulnerabilities across various SAP products and components.

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.