Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Some Fields are susceptible to Cross-site scripting, SAP security note 1335926

Description

You create a Bid invitation and specify and go to Dynamic Attributes tab and enter the Dynamic attribute Description as
“<a href=”javascript:alert();”>Click me!</a>”, for example.
When you change the tabs or open the bid invitation again, the system displays a dialog box that contains the following text: “Click me!”.
Same problem occurs when you provide it as a description of some other fields like Partner details, Bidder output data details in Bid invitation, and Incoterm Description in Quotation.

Available fix and Supported packages

  • SRM_SERVER | 500 | 500
  • SRM_SERVER | 550 | 550
  • SRM_SERVER 500 | SAPKIBKS16 |
  • SRM_SERVER 550 | SAPKIBKT16 |

Affected component

    SRM-EBP-TEC-ITS
    ITS and Web files

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1335926

TAGS

#BBP_BID_INV
#BBP_QUOT
#Description
#XSS
#cross-site-scripting
#Partner-details
#Bidder-output-data-details
#Incoterm-Description

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,