Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

Some Fields are susceptible to Cross-site scripting, SAP security note 1335926

Description

You create a Bid invitation and specify and go to Dynamic Attributes tab and enter the Dynamic attribute Description as
“<a href=”javascript:alert();”>Click me!</a>”, for example.
When you change the tabs or open the bid invitation again, the system displays a dialog box that contains the following text: “Click me!”.
Same problem occurs when you provide it as a description of some other fields like Partner details, Bidder output data details in Bid invitation, and Incoterm Description in Quotation.

Available fix and Supported packages

  • SRM_SERVER | 500 | 500
  • SRM_SERVER | 550 | 550
  • SRM_SERVER 500 | SAPKIBKS16 |
  • SRM_SERVER 550 | SAPKIBKT16 |

Affected component

    SRM-EBP-TEC-ITS
    ITS and Web files

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1335926

TAGS

#BBP_BID_INV
#BBP_QUOT
#Description
#XSS
#cross-site-scripting
#Partner-details
#Bidder-output-data-details
#Incoterm-Description

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN