Vigil@nce: SAP cFolders, Cross Site Scripting
April 2009 by Vigil@nce
An attacker can use several Cross Site Scripting of SAP
Collaboration Folders.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 22/04/2009
IMPACTED PRODUCTS
– SAP ERP
– SAP NetWeaver
DESCRIPTION OF THE VULNERABILITY
The SAP Collaboration Folders product is integrated in several SAP
products: SAP ECC, SAP Product Lifecycle Management (PLM), SAP
Supplier Relationship Management (SRM), SAP Knowledge Management
and SAP NetWeaver cRooms (collaboration rooms).
Following scripts do not check received data before displaying
them:
https://site/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm
https://site/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm
https://site/sap/bc/bsp/sap/cfx_rfc_ui/hyp_de_create.htm
An attacker can therefore use several Cross Site Scripting of SAP
Collaboration Folders.
CHARACTERISTICS
– Identifiers: 1284360, 1292875, BID-34658, VIGILANCE-VUL-8663
– Url: http://vigilance.fr/vulnerability/SAP-cFolders-Cross-Site-Scripting-8663
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2