Skip links
RedRays
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

CVE-2021-21444 Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad), SAP security note 2935791

Description

SAP Business Object allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents .This could, as a result, nullify the added XFO header leading to Clickjacking attack.

Available fix and Supported packages

  • ENTERPRISE | 410 | 410
  • ENTERPRISE | 420 | 420
  • ENTERPRISE | 430 | 430
  • SBOP BI PLATFORM SERVERS 4.1 | SP012 | 000800
  • SBOP BI PLATFORM SERVERS 4.2 | SP007 | 001200
  • SBOP BI PLATFORM SERVERS 4.2 | SP008 | 000300
  • SBOP BI PLATFORM SERVERS 4.2 | SP009 | 000000
  • SBOP BI PLATFORM SERVERS 4.3 | SP000 | 000100
  • SBOP BI PLATFORM SERVERS 4.3 | SP000 | 000500
  • SBOP BI PLATFORM SERVERS 4.3 | SP001 | 000000

Affected component

    BI-BIP-CMC
    Central Management Console (CMC)

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2935791

TAGS

#X-Frame-Options
#header
#Clickjacking
#CMC
#BI-Launchpad
#XFO
#browser
#user-agent
#response-header
#CVE-2021-21444

More to explorer