Skip links
RedRays - Your SAP Security Solution
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

XSS attacks via ~designbaseurl, SAP security note 889454

Description

When you start a service, the message “Security exploit” appears. In the trace, you can then find entries such as:

illegal host in ~designbaseurl=…….
WorkXSSFilter: possible xss exploit

Available fix and Supported packages

  • BC-FES-ITS | 620 | 630
  • SAP_BASIS | 640 | 640
  • SAP_BASIS | 700 | 701
  • SAP_BASIS | 710 | 710
  • SAP BASIS 7.01 | SP000 | 000000
  • SAP KERNEL 6.40 32-BIT | SP223 | 000223
  • SAP KERNEL 6.40 32-BIT UNICODE | SP223 | 000223
  • SAP KERNEL 6.40 64-BIT | SP223 | 000223
  • SAP KERNEL 6.40 64-BIT UNICODE | SP223 | 000223
  • SAP KERNEL 7.10 32-BIT | SP092 | 000092
  • SAP KERNEL 7.10 32-BIT UNICODE | SP092 | 000092
  • SAP KERNEL 7.10 64-BIT | SP092 | 000092
  • SAP KERNEL 7.10 64-BIT UNICODE | SP092 | 000092

Affected component

    BC-FES-ITS
    SAP Internet Transaction Server

CVSS

Score: 0

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/889454

TAGS

#ITS
#XSS
#CSS
#cross-site-scripting
#security-exploit

More to explorer

SAP Cloud Connector Certificate Validation Issue

February 13, 2024

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,