Reflected Cross Site Scripting in CL_HTTP_EXT_SERVICE_POST_DEMO class

Impact On Business

By exploiting this vulnerability a remote attacker could trick users into clicking malicious links and depending on the level of protection that the browser provides, the attacker could potentially steal their user sessions or other information.

Affected Components Description

• SAP_ABA 700 SP 07-40
• SAP_ABA 701 SP 00-25
• SAP_ABA 702 SP 01-25
• SAP_ABA 731 SP 01-32
• SAP_ABA 740 SP 00-29
• SAP_ABA 750 SP 00-26
• SAP_ABA 751 SP 00-15
• SAP_ABA 752 SP 00-11
• SAP_ABA 75C SP 00-11
• SAP_ABA 75D SP 00-09
• SAP_ABA 75E SP 00-07
• SAP_ABA 75F SP 00-05
• SAP_ABA 75G SP 00-03
• SAP_ABA 75H SP 00-01

Vulnerability Details

SAP Solution Manager implements a class named CL_HTTP_EXT_SERVICE_POST_DEMO which was not correctly performing sanitization on user input. As a consequence, an attacker could craft a malicious link, which when clicked by an unsuspecting user, could be used to read or modify sensitive information or hijack the user session.

Solution

SAP has released SAP Note 3282663 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3282663.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

• 11/01/2022: Onapsis reports vulnerability to SAP
• 02/14/2023: SAP issues the patch

References

• Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-february-2023/
• CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24529
• Vendor Patch: https://me.sap.com/notes/3282663