Security gap in Cross-Site-Scripting, SAP security note 960728

Description

When you call SAP E-Recruiting or when SAP E-Recruiting is running, any JavaScript code can be executed using the URL parameter sap_bsp_fw_active.

To do this, proceed as follows: Attach the character string “&sap_bsp_fw_active=true’);alert(‘XSS’);//” to the URL in the address row of the browser (without the quotes!).
When you start the URL after doing this, you will see that the JavaScript code was carried out. A JavaScript alert with the text “XSS!” appears.

Available fix and Supported packages

ERECRUIT | 300 | 300
ERECRUIT | 600 | 600
ERECRUIT 300 | SAPK-30014INERECRUIT |
ERECRUIT 600 | SAPK-60006INERECRUIT |

Affected component

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/960728

Vahagn Vardanian

Security gap in Cross-Site-Scripting, SAP security note 960728

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#CL_HRRCF_BSP_EXT_FRAMEWORK

Explore More

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Securing Your SAP Migration: Integrating RedRays ABAP Security Scanner into DevSecOps Workflows

RedRays ABAP Security Scanner – Transforming SAP Security Through Advanced Code Analysis

SAP Security Patch Day – April 2025

Vahagn Vardanian

Security gap in Cross-Site-Scripting, SAP security note 960728

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#CL_HRRCF_BSP_EXT_FRAMEWORK

Explore More

Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild

Securing Your SAP Migration: Integrating RedRays ABAP Security Scanner into DevSecOps Workflows

RedRays ABAP Security Scanner – Transforming SAP Security Through Advanced Code Analysis

SAP Security Patch Day – April 2025

Special offer for SAP Security Udemy course!

$ 9.99