Description
1)Several cross site scripting (XSS) vulnerabilities have been discovered in administrative Web interfaces of PI.
2)Some servlets allow bypassing http-only cookie security.
3)Some Exchange Profile parameters are saved as plain text in NWA.
4)Reading and overwriting files using various administrative XI tools Possible.
5)The password is contained in clear text in the HTML source code.
Available fix and Supported packages
- MESSAGING | 7.10 | 7.11
- MESSAGING | 7.20 | 7.20
- MESSAGING | 7.30 | 7.30
- MESSAGING | 7.31 | 7.31
- SAP_XIESR | 7.10 | 7.11
- SAP_XIESR | 7.20 | 7.20
- SAP_XIESR | 7.30 | 7.30
- SAP_XIESR | 7.31 | 7.31
- SAP_XITOOL | 3.0 | 3.0
- SAP_XITOOL | 7.00 | 7.02
- SAP_XITOOL | 7.10 | 7.11
- XI TOOLS 7.02 | SP003 | 000002
- XI TOOLS 7.02 | SP004 | 000003
- XI TOOLS 7.02 | SP005 | 000002
- XI TOOLS 7.02 | SP006 | 000001
Affected component
- BC-XI-IBF
Framework
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1297256
