HTML Encoding of Error Messages, SAP security note 887323

Description

Exception messages when raised, can contain strings that have been influenced (generated from) form fields that were received from the incoming HTTP request.

If these exception texts are again used in the outgoing HTML page to write an error message, they have to be encoded. There are a number of placed within the BSP runtime where this was not done consistently.

Available fix and Supported packages

SAP_BASIS | 610 | 640
SAP_BASIS | 700 | 700
SAP_BASIS | 710 | 710
SAP_BASIS 610 | SAPKB61045 |
SAP_BASIS 640 | SAPKB64015 |
SAP_BASIS 620 | SAPKB62056 |
SAP_BASIS 700 | SAPKB70006 |

Affected component

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected].

URL

https://launchpad.support.sap.com/#/notes/887323

Arpine Maghakyan

HTML Encoding of Error Messages, SAP security note 887323

Description

Available fix and Supported packages

Affected component

CVSS

Exploit

URL

TAGS

#

More to explorer

Urgent Security Notice: RedRays Discloses Major Data Breach Affecting SAP Customers

[CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure

Exploring P4 Protocol: Usage, Implementation, and CVE-2021-37535

AI-powered Password Testing for ABAP stack