Untrusted XML input parsing possible in CRM-ISA, SAP security note 2244346

Description

A malicious user can modify an XML-based request to include XML content that is then parsed locally.
This could allow a malicious user to perform a denial of service (DoS) on the parsing system, or disclose local data that is then returned in the response to the malicious request, or access further network-located resources that are accessible from the parsing system.

Available fix and Supported packages

SAP-CRMJAV | 6.0 | 6.0
SAP-CRMJAV | 700 | 700
SAP-CRMJAV | 701 | 701
SAP-CRMJAV | 702 | 702
SAP-CRMJAV | 731 | 731
SAP-CRMJAV | 730 | 730
SAP-CRMJAV | 732 | 732
SAP-CRMJAV | 733 | 733
SAP-CRMWEB | 6.0 | 6.0
SAP-CRMWEB | 700 | 700
SAP-CRMWEB | 701 | 701
SAP-CRMWEB | 702 | 702
SAP-CRMWEB | 731 | 731
SAP-CRMWEB | 730 | 730
SAP-CRMWEB | 732 | 732
SAP-CRMWEB | 733 | 733
SAP-SHRWEB | 6.0 | 6.0
SAP-SHRWEB | 700 | 700
SAP-SHRWEB | 701 | 701
SAP-SHRWEB | 702 | 702
CRM JAVA APPLICATIONS 6.0 | SP011 | 000100
CRM JAVA APPLICATIONS 7.0 | SP012 | 000126
CRM JAVA APPLICATIONS 7.01 | SP009 | 000126
CRM JAVA APPLICATIONS 7.02 | SP004 | 000144
CRM JAVA APPLICATIONS 7.30 | SP012 | 000128
CRM JAVA APPLICATIONS 7.31 | SP009 | 000132
CRM JAVA APPLICATIONS 7.32 | SP004 | 000131
CRM JAVA APPLICATIONS 7.33 | SP000 | 000089
CRM JAVA COMPONENTS 6.0 | SP011 | 000100
CRM JAVA COMPONENTS 7.0 | SP012 | 000126
CRM JAVA COMPONENTS 7.01 | SP009 | 000126
CRM JAVA COMPONENTS 7.02 | SP004 | 000144
CRM JAVA COMPONENTS 7.30 | SP012 | 000128
CRM JAVA COMPONENTS 7.31 | SP009 | 000132
CRM JAVA COMPONENTS 7.32 | SP004 | 000131
CRM JAVA COMPONENTS 7.33 | SP000 | 000089
CRM JAVA WEB COMPONENTS 6.0 | SP011 | 000100
CRM JAVA WEB COMPONENTS 7.0 | SP012 | 000126
CRM JAVA WEB COMPONENTS 7.01 | SP009 | 000126
CRM JAVA WEB COMPONENTS 7.02 | SP004 | 000144

Affected component

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2244346

Arpine Maghakyan

Untrusted XML input parsing possible in CRM-ISA, SAP security note 2244346

Description

Available fix and Supported packages

Affected component

CVSS

Exploit

URL

TAGS

#XXE
#XML-eXternal-Entity
#information-disclosure
#denial-of-service
#DoS
#CRM-ISA
#CRM-ISE

More to explorer

SAP Security Patch Day – April 2024

SAP Security Patch Day – March 2024

SAP Cloud Connector Certificate Validation Issue

Critical XSS Vulnerability Identified in SAP NetWeaver AS Java

Arpine Maghakyan

Untrusted XML input parsing possible in CRM-ISA, SAP security note 2244346

Description

Available fix and Supported packages

Affected component

CVSS

Exploit

URL

TAGS

#XXE#XML-eXternal-Entity#information-disclosure#denial-of-service#DoS#CRM-ISA#CRM-ISE

More to explorer

SAP Security Patch Day – April 2024

SAP Security Patch Day – March 2024

SAP Cloud Connector Certificate Validation Issue

Critical XSS Vulnerability Identified in SAP NetWeaver AS Java

#XXE
#XML-eXternal-Entity
#information-disclosure
#denial-of-service
#DoS
#CRM-ISA
#CRM-ISE