BID:106177

SAP ABAP HTTP Logon Application Cross Frame Scripting Vulnerability

Info

SAP ABAP HTTP Logon Application Cross Frame Scripting Vulnerability

Bugtraq ID:	106177
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 18 2014 12:00AM
Updated:	Sep 18 2014 12:00AM
Credit:	Onapsis
Vulnerable:	SAP NetWeaver ABAP 0 SAP Basis 7.40 SAP Basis 7.31 SAP Basis 7.30 SAP Basis 7.20 SAP Basis 7.11 SAP Basis 7.10 SAP Basis 7.02 SAP Basis 7.01 SAP Basis 7.00 SAP Basis 6.40

Not Vulnerable:

Discussion

SAP ABAP HTTP Logon Application Cross Frame Scripting Vulnerability

SAP ABAP is prone to a cross-frame scripting vulnerability.

Successful exploits will allow attackers to bypass the same-origin policy and perform unauthorized actions; other attacks are possible.

BASIS 6.40, 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31, and 7.40 are vulnerable.

Solution / Fix

SAP ABAP HTTP Logon Application Cross Frame Scripting Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

SAP ABAP HTTP Logon Application Cross Frame Scripting Vulnerability

References:

Analyzing SAP Security Notes September 2014 Edition (Onapsis)
SAP Security Note # 2028904 (SAP)
SAP Security Patch Day �?? December 2018 (SAP)