http://www.dsecrg.com/pages/vul/show.php?id=133
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-033
Application: SAP NetWeaver Application Server (Java)
Versions Affected: Version 7.0
Vendor URL: http://SAP.com
Bugs: XSS
Exploits: YES
Reported: 18.03.2009
Vendor response: 19.03.2009
Date of Public Advisory: 11.08.2009
CVE-number:
Author: Alexander Polyakov
Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)
Description
SAP NetWeaver Application Server (Java) system has Linked XSS security vulnerability in UDDI client.
Details
Linked XSS vulnerability in UDDI client.
vulnerability found in page /uddiclient/process
vulnerable field "TModel Key"
Example
aa"><img/src=javascript:alert('dsecrg xss')>
Fix Information
The issue has been solved. See SAP note 1322098.
References:
SAP note 1322098
https://service.sap.com/sap/support/notes/1322098
DSecRG-09-033
http://www.dsecrg.com/pages/vul/show.php?id=133
About
Digital Security is one of the leading IT security companies in CEMEA, providing information security
consulting, audit and penetration testing services, risk analysis and ISMS-related services and
certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on
application and database security problems with vulnerability reports, advisories and whitepapers
posted regularly on our website.
Contact: research [at] dsecrg [dot] com
http://www.dsecrg.com
Polyakov Alexandr
Chief Information Security Analyst
DIGITAL SECURITY
phone: +7 812 703 1547
+7 812 430 9130
e-mail: [email protected]
www.dsec.ru
www.dsecrg.com
www.pcidss.ru