STechno

Note 1442517 - Unauthorized modification of displayed content-ISpeakAdapter

Header
Version / Date 0 / 2011-04-12
Priority Correction with high priority
Category Program error
Primary Component BC-XI-CON-ISP Industry Standard Adapter
Secondary Components

Summary
Symptom


ISpeakAdapter can be abused by a malicious user, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users.

CVSS Information

CVSS Base Score: 4.3
CVSS Base Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

SAP is providing this CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into consideration your own system configuration, or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding the applicability or priority of this SAP security note. Please see the FAQ section on https://service.sap.com/securitynotes/ for more information.

Other terms


Reflected Cross-Site Scripting, XSS, ISpeak Adapter

Reason and Prerequisites


ISpeakAdapter does not sufficiently encode input parameters, resulting in a reflected cross-site scripting issue. A reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content from a Web site.

Reflected cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. A malicious user who gains access to this data may use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the application's security could be fully compromised.

Solution
https://service.sap.com/sap/support/notes/1442517

(SAP Service marketplace login required)

Affected Releases
Software Component Release From Release To Release And subsequent
SAP_XIAF3.03.03.0
SAP_XIAF7.007.007.02
SAP_XIAF7.107.107.11

Related Notes
1576121SAP EhP1 for XI on Netweaver 7.00 SP09
1561929SAP EhP2 for Netweaver 7.00 SP07
1531912SAP EhP1 for XI on Netweaver 7.00 SP08
1530712NW04s XI Support Package Stack 23
1459565SAP EHP1 FOR SAP NETWEAVER PI 7.1 SP05