Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Some Fields are susceptible to Cross-site scripting, SAP security note 1335926

Description

You create a Bid invitation and specify and go to Dynamic Attributes tab and enter the Dynamic attribute Description as
“<a href=”javascript:alert();”>Click me!</a>”, for example.
When you change the tabs or open the bid invitation again, the system displays a dialog box that contains the following text: “Click me!”.
Same problem occurs when you provide it as a description of some other fields like Partner details, Bidder output data details in Bid invitation, and Incoterm Description in Quotation.

Available fix and Supported packages

  • SRM_SERVER | 500 | 500
  • SRM_SERVER | 550 | 550
  • SRM_SERVER 500 | SAPKIBKS16 |
  • SRM_SERVER 550 | SAPKIBKT16 |

Affected component

    SRM-EBP-TEC-ITS
    ITS and Web files

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1335926

TAGS

#BBP_BID_INV
#BBP_QUOT
#Description
#XSS
#cross-site-scripting
#Partner-details
#Bidder-output-data-details
#Incoterm-Description

More to explorer