all things security

SAP Enterprise Portal 7.50 Cross Site Scripting

SAP Enterprise Portal 7.50 Cross Site Scripting
Posted Sep 29, 2017
Authored by Imran Khan

SAP Enterprise Portal versions 7.50 and below suffer from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2017-10701
MD5 | b7e533258b6fc2e9044b7988259677f3

SAP Enterprise Portal 7.50 Cross Site Scripting

Change Mirror Download
*SAP Enterprise Portal and Clients Input Validation Flaw Lets Remote Users
Conduct Cross-Site Scripting Attacks*


*CVE Reference:* CVE-2017-10701


*Date:* Sep 27 2017


*Severity Rating: CVSS v3 Base Score:* 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I
:L/A:N)


*Fix Available:* Yes *Vendor Confirmed:* Yes


*Version(s):* SAP Enterprise Portal 7.50 and prior


*Description:* A vulnerability was reported in SAP Enterprise Portal (EP)
and Clients. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input
before displaying the input. A remote user can cause arbitrary scripting
code to be executed by the target user's browser. The code will originate
from the site running the SAP Enterprise Portal (EP) and will run in the
security context of that site. As a result, the code will be able to access
the target user's cookies (including authentication cookies), if any,
associated with the site, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target
user.


*Impact:* A remote user can access the target user's cookies (including
authentication cookies), if any, associated with the site running the SAP
Enterprise Portal, access data recently submitted by the target user via
web form to the site, or take actions on the site acting as the target user.


*Link to remedies:*

Web Dynpro Java - https://launchpad.support.sap.com/#/notes/2469860
SAPGUI for HTML- https://launchpad.support.sap.com/#/notes/2471209
Web Dynpro ABAP -https://launchpad.support.sap.com/#/notes/2488516

*Credits:* Imran Khan @Netizen01k reported this vulnerability.


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close