Description
The Flash Island files used inside the HCM WD applications (e.g. talent management and performance management) do not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Some well-known impacts of XSS vulnerability are –
- non-permanently deface or modify displayed content from a Web site
- steal authentication information of the user, such as data relating to his or her current session
- impersonate the user and access all information with the same rights as the target user
Available fix and Supported packages
- EA-HR_MSS | 1.0 | 1.0
- S4CORE | 100 | 100
- S4CORE | 101 | 101
- EA-HRGXX | 604 | 604
- EA-HRGXX | 605 | 605
- EA-HRGXX | 606 | 606
- EA-HRGXX | 607 | 607
- EA-HRGXX | 608 | 608
- SAP_BS_FND | 701 | 701
- SAP_BS_FND | 702 | 702
- SAP_BS_FND | 731 | 731
- SAP_BS_FND | 746 | 746
- SAP_BS_FND | 747 | 747
- SAP_BS_FND | 748 | 748
- EA-HR_MSS 1.0 | SAPK-10012INEAHRMSS |
- | SAPK-S4CLOUD_1611 |
- S4CORE 100 | SAPK-10003INS4CORE |
- S4CORE 101 | SAPK-10101INS4CORE |
- EA-HRGXX 604 | SAPK-604A5INEAHRGXX |
- EA-HRGXX 608 | SAPK-60833INEAHRGXX |
- EA-HRGXX 605 | SAPK-60582INEAHRGXX |
- EA-HRGXX 607 | SAPK-60756INEAHRGXX |
- EA-HRGXX 606 | SAPK-60667INEAHRGXX |
- SAP_BS_FND 701 | SAPK-70119INSAPBSFND |
- SAP_BS_FND 702 | SAPK-70217INSAPBSFND |
- SAP_BS_FND 731 | SAPK-73118INSAPBSFND |
- SAP_BS_FND 746 | SAPK-74611INSAPBSFND |
- SAP_BS_FND 747 | SAPK-74713INSAPBSFND |
- SAP_BS_FND 748 | SAPK-74804INSAPBSFND |
Affected component
- PA-TM
Talent Management
CVSS
Score: 0
Exploit
Exploit is not available.
For detailed information please contact the mail [email protected]
URL
https://launchpad.support.sap.com/#/notes/2358285
