Security Advisories for SAP

6. October 2023

The usd HeroLab's pentest professionals examined applications from the software manufacturer SAP while conducting their pentests.

During the assessment of the SAP Partner Portal, the redirection to an error page was found to be vulnerable to cross-site scripting (XSS) attacks. This enables attackers to remotely execute HTML tags and malicious JavaScript code in the user's browser.

In addition, the SAP HTTP Content Server was found to not neutralize or incorrectly neutralize scripting syntax in HTTP headers. This allows an attacker to perform cross-site scripting attacks or other malicious actions in the user's context.

The vulnerabilities were reported to the vendor under the Responsible Disclosure Policy and subsequently fixed. Detailed information about the advisories can be found here.

About usd HeroLab Security Advisories

In order to protect businesses against hackers and criminals, we must ensure that our skills and knowledge are up to date at all times. Therefore, security research is just as important to our work as is building up a security community to promote an exchange of knowledge. After all, more security can only be achieved if many people take on the task.

We analyze attack scenarios, which are changing constantly, and publish a series of Security Advisories on current vulnerabilities and security issues – always in line with our Responsible Disclosure Policy.

Always in the name of our mission: “more security.”

Also interesting:

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

SWIFT CSCFv2025 - The Three Most Important Questions About the Update

Users of the SWIFT network are required to demonstrate compliance with the mandatory security controls through an annual independent audit in accordance with the Customer Security Control Framework (CSCF). As part of this SWIFT Assessment, the security of an...

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

In the dynamic field of cybersecurity, it is often the obscure and long-forgotten vulnerabilities that pose a hidden threat to otherwise hardened systems. One such vulnerability lies in invalid character encodings that violate the UTF-8 standard. While overlong UTF-8...

Categories

Categories