Skip links

CVE-2019-0298 Cross-Site Scripting (XSS) vulnerability in SAP E-Commerce (Business-to-Consumer) application, SAP security note 2773086

Description

SAP E-Commerce (Business-to-Consumer) application does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Some well-known impacts of XSS vulnerability are –

  • non-permanently deface or modify displayed content from a Web site
  • steal authentication information of the user, such as data relating to his or her current session
  • impersonate the user and access all information with the same rights as the target user 

Available fix and Supported packages

  • SAP-CRMJAV | 731 | 731
  • SAP-CRMJAV | 730 | 730
  • SAP-CRMJAV | 732 | 732
  • SAP-CRMJAV | 733 | 733
  • SAP-CRMJAV | 754 | 754
  • SAP-CRMWEB | 731 | 731
  • SAP-CRMWEB | 730 | 730
  • SAP-CRMWEB | 732 | 732
  • SAP-CRMWEB | 733 | 733
  • SAP-CRMWEB | 754 | 754
  • SAP-SHRWEB | 731 | 731
  • SAP-SHRWEB | 730 | 730
  • SAP-SHRWEB | 732 | 732
  • SAP-SHRWEB | 733 | 733
  • SAP-SHRWEB | 754 | 754
  • SAP-SHRJAV | 731 | 731
  • SAP-SHRJAV | 730 | 730
  • SAP-SHRJAV | 732 | 732
  • SAP-SHRJAV | 733 | 733
  • SAP-SHRJAV | 754 | 754
  • CRM JAVA APPLICATIONS 7.30 | SP012 | 000210
  • CRM JAVA APPLICATIONS 7.31 | SP009 | 000216
  • CRM JAVA APPLICATIONS 7.32 | SP004 | 000215
  • CRM JAVA APPLICATIONS 7.33 | SP000 | 000180
  • CRM JAVA APPLICATIONS 7.54 | SP001 | 000084
  • CRM JAVA COMPONENTS 7.30 | SP012 | 000210
  • CRM JAVA COMPONENTS 7.31 | SP009 | 000216
  • CRM JAVA COMPONENTS 7.32 | SP004 | 000215
  • CRM JAVA COMPONENTS 7.33 | SP000 | 000180
  • CRM JAVA COMPONENTS 7.54 | SP001 | 000084
  • CRM JAVA WEB COMPONENTS 7.30 | SP012 | 000210
  • CRM JAVA WEB COMPONENTS 7.31 | SP009 | 000216
  • CRM JAVA WEB COMPONENTS 7.32 | SP004 | 000215
  • CRM JAVA WEB COMPONENTS 7.33 | SP000 | 000180
  • CRM JAVA WEB COMPONENTS 7.54 | SP001 | 000084
  • SAP SHARED JAVA APPLIC. 7.30 | SP012 | 000210
  • SAP SHARED JAVA APPLIC. 7.31 | SP009 | 000216
  • SAP SHARED JAVA APPLIC. 7.32 | SP004 | 000215
  • SAP SHARED JAVA APPLIC. 7.33 | SP000 | 000180
  • SAP SHARED JAVA APPLIC. 7.54 | SP001 | 000084

Affected component

    CRM-ISA-BAS
    Shopping Basket and Order Entry

CVSS

Score: 6.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2773086

TAGS

#&65279-XSS
#stored-XSS
#reflected-XSS
#CSS&65279
#&160-CVE-2019-0298&65279