Skip links
RedRays
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Code injection vulnerability in WEBCUIF components, SAP security note 1484128

Description

The F4 functionality in WEBCUIF and CRMUIF contains code which allows to execute arbitrary simple Search Help that was not provided directly by an application by means of a normal V-Getter. If such a Search Help has no built in authorization mechanism (e.g. if it is a DDIC Search Help), the execution will be possible and the data displayed to the originator of the request. However, there is no possibility to change data. Furthermore, such unauthorized display impacts only master data and in very limited cases where there is no possibility to add authorization checks inside the Search Help.

Available fix and Supported packages

  • CRMUIF | 600 | 600
  • WEBCUIF | 700 | 700
  • WEBCUIF | 701 | 701
  • WEBCUIF | 730 | 730
  • CRMUIF 600 | SAPK-60011INCRMUIF |
  • WEBCUIF 700 | SAPK-70009INWEBCUIF |
  • WEBCUIF 701 | SAPK-70103INWEBCUIF |
  • WEBCUIF 730 | SAPK-73001INWEBCUIF |

Affected component

    CA-WUI-UI
    User Interface

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected].

URL

https://launchpad.support.sap.com/#/notes/1484128

TAGS

#Search-Help-Execution
#Unauthorized-display-of-data
#backdoor
#injection
#F4
#Search-Help

More to explorer