Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Security XML generation encoded for OLTP data generation, SAP security note 1493685

Description

User runs OLTP application and loads a report.  This triggers request sent to backend data provider component which requests data from BW and sends back the data to the data provider.  The data provider will take the data and render it in XML structure and send back to application front.  The code that generates XML is exploitable and needs to be prevented.

Available fix and Supported packages

  • BBPCRM | 520 | 520
  • BBPCRM | 600 | 600
  • BBPCRM | 700 | 700
  • BBPCRM | 701 | 701
  • BBPCRM 701 | SAPKU70102 |
  • BBPCRM 520 | SAPKU52011 |
  • BBPCRM 600 | SAPKU60009 |
  • BBPCRM 700 | SAPKU70009 |

Affected component

    CRM-ANA
    CRM Analytics

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1493685

TAGS

#Security
#Cross-Site-Scripting
#OLTP
#OLTP-data-provider
#BW-date
#XML-generation
#HTTP-response-header
#HTTP-response

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,