Vigil@nce: SAP NetWeaver, Cross Site Scripting of SLD
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can generate two Cross Site Scripting in SAP NetWaver
SLD, in order to execute script in the web context of a user
visiting the site.
– Severity: 2/4
– Creation date: 23/07/2010
DESCRIPTION OF THE VULNERABILITY
The SAP System Landscape Directory component manages software
installation. It is impacted by two vulnerabilities.
The "action" parameter of the "testsdic" script is not correctly
filtered. [severity:2/4]
The "helpstring" parameter of the "paramhelp.jsp" script is not
correctly filtered. [severity:2/4]
An attacker can therefore generate two Cross Site Scripting in SAP
NetWaver SLD, in order to execute script in the web context of a
user visiting the site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/SAP-NetWeaver-Cross-Site-Scripting-of-SLD-9787