Description
1)Several cross site scripting (XSS) vulnerabilities have been discovered in administrative Web interfaces of PI.
2)Some servlets allow bypassing http-only cookie security.
3)Some Exchange Profile parameters are saved as plain text in NWA.
4)Reading and overwriting files using various administrative XI tools Possible.
5)The password is contained in clear text in the HTML source code.
Available fix and Supported packages
- MESSAGING | 7.10 | 7.11
- MESSAGING | 7.20 | 7.20
- MESSAGING | 7.30 | 7.30
- MESSAGING | 7.31 | 7.31
- SAP_XIESR | 7.10 | 7.11
- SAP_XIESR | 7.20 | 7.20
- SAP_XIESR | 7.30 | 7.30
- SAP_XIESR | 7.31 | 7.31
- SAP_XITOOL | 3.0 | 3.0
- SAP_XITOOL | 7.00 | 7.02
- SAP_XITOOL | 7.10 | 7.11
- XI TOOLS 7.02 | SP003 | 000002
- XI TOOLS 7.02 | SP004 | 000003
- XI TOOLS 7.02 | SP005 | 000002
- XI TOOLS 7.02 | SP006 | 000001
Affected component
- BC-XI-IBF
Framework
CVSS
Score: 0
Exploit
Exploit is not available.
For detailed information please contact the mail [email protected].
URL
https://launchpad.support.sap.com/#/notes/1297256