This SAP Note contains fixes for security issues with the Operations part of SAP Solution Manager (component SV-SMG-OP).
The following risks are addressed:
- Cross Site Scripting
The SAP Solution Manager (Operations part) can be abused by a malicious user allowing them to modify displayed application content without authorization and to potentially obtain authentication information from other legitimate users.
- SQL injection
A malicious user can exploit SAP Solution Manager (Operations part) using specially crafted inputs to execute arbitrary database commands to retrieve, modify, or remove data persisted by the system.
- Hard-coded user names (Backdoor)
SAP Solution Manager (Operations part) contains code which changes the program’s behaviour when a user successfully authenticates with a certain username.
Available fix and Supported packages
- ST | 400 | 400
- ST 400 | SAPKITL433 |
Exploit is not available.
For detailed information please contact the mail [email protected]