Skip links

Logon data can be discovered XSS, SAP security note 1441953

Description

An attacker can use Web Dynpro ABAP to steal the logon data of another user.

Available fix and Supported packages

  • SAP_BASIS | 700 | 702
  • SAP_BASIS | 710 | 720
  • SAP_BASIS 711 | SAPKB71105 |
  • SAP_BASIS 720 | SAPKB72003 |
  • SAP_BASIS 701 | SAPKB70107 |
  • SAP_BASIS 702 | SAPKB70204 |

Affected component

    BC-WD-ABA
    Web Dynpro ABAP

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1441953

TAGS

#Certain-Web-Dynpro-ABAP-pages-do-not-encode-the-input-parameters-sufficiently.-This-causes-a-reflexive-cross-site-scripting-(XSS)-problem.-XSS-can-be-used-to-steal-the-logon-data-of-another-user.Reflexive-This-gap-can-be-used-to-deface-or-change-the-contents-of-a-page-(for-example).An-attacker-that-has-obtained-this-data-can-use-this-data-to-imitate-a-different-user-in-the-system–the-attacker-then-has-access-to-all-of-this-user’s-information-and-has-the-same-authorizations-as-this-user.If-the-user-is-an-administration-user
#the-security-of-the-entire-application-may-be-compromised.