Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Untrusted XML input parsing possible in CRM-ISA, SAP security note 2244346

Description

A malicious user can modify an XML-based request to include XML content that is then parsed locally.
This could allow a malicious user to perform a denial of service (DoS) on the parsing system, or disclose local data that is then returned in the response to the malicious request, or access further network-located resources that are accessible from the parsing system.

Available fix and Supported packages

  • SAP-CRMJAV | 6.0 | 6.0
  • SAP-CRMJAV | 700 | 700
  • SAP-CRMJAV | 701 | 701
  • SAP-CRMJAV | 702 | 702
  • SAP-CRMJAV | 731 | 731
  • SAP-CRMJAV | 730 | 730
  • SAP-CRMJAV | 732 | 732
  • SAP-CRMJAV | 733 | 733
  • SAP-CRMWEB | 6.0 | 6.0
  • SAP-CRMWEB | 700 | 700
  • SAP-CRMWEB | 701 | 701
  • SAP-CRMWEB | 702 | 702
  • SAP-CRMWEB | 731 | 731
  • SAP-CRMWEB | 730 | 730
  • SAP-CRMWEB | 732 | 732
  • SAP-CRMWEB | 733 | 733
  • SAP-SHRWEB | 6.0 | 6.0
  • SAP-SHRWEB | 700 | 700
  • SAP-SHRWEB | 701 | 701
  • SAP-SHRWEB | 702 | 702
  • CRM JAVA APPLICATIONS 6.0 | SP011 | 000100
  • CRM JAVA APPLICATIONS 7.0 | SP012 | 000126
  • CRM JAVA APPLICATIONS 7.01 | SP009 | 000126
  • CRM JAVA APPLICATIONS 7.02 | SP004 | 000144
  • CRM JAVA APPLICATIONS 7.30 | SP012 | 000128
  • CRM JAVA APPLICATIONS 7.31 | SP009 | 000132
  • CRM JAVA APPLICATIONS 7.32 | SP004 | 000131
  • CRM JAVA APPLICATIONS 7.33 | SP000 | 000089
  • CRM JAVA COMPONENTS 6.0 | SP011 | 000100
  • CRM JAVA COMPONENTS 7.0 | SP012 | 000126
  • CRM JAVA COMPONENTS 7.01 | SP009 | 000126
  • CRM JAVA COMPONENTS 7.02 | SP004 | 000144
  • CRM JAVA COMPONENTS 7.30 | SP012 | 000128
  • CRM JAVA COMPONENTS 7.31 | SP009 | 000132
  • CRM JAVA COMPONENTS 7.32 | SP004 | 000131
  • CRM JAVA COMPONENTS 7.33 | SP000 | 000089
  • CRM JAVA WEB COMPONENTS 6.0 | SP011 | 000100
  • CRM JAVA WEB COMPONENTS 7.0 | SP012 | 000126
  • CRM JAVA WEB COMPONENTS 7.01 | SP009 | 000126
  • CRM JAVA WEB COMPONENTS 7.02 | SP004 | 000144

Affected component

    CRM-ISA
    Internet Sales

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2244346

TAGS

#XXE
#XML-eXternal-Entity
#information-disclosure
#denial-of-service
#DoS
#CRM-ISA
#CRM-ISE

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.