[ERPSCAN-17-035] XSS in CRM (Administration Console, Java)

Application: SAP Java CRM
Versions Affected: SAP Java CRM 700-754
Vendor URL: SAP
Bug: XSS
Reported: 20.06.2017
Vendor response: 21.06.2017
Date of Public Advisory: 11.07.2017
Reference: SAP Security Note 2478964
Author: Vladimir Egorov (ERPScan)

VULNERABILITY INFORMATION

Class: XSS
Risk: Medium
Impact: account hijacking
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 6.1 / 10
CVSS v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) Required (R)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C: Impact to Confidentiality Low (L)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)

Description

An attacker can use a special HTTP request to hijack session data of administrators of the web resource.

Business risk

An attacker can use Cross-Site Scripting vulnerability for injecting a malicious script into a page. Reflected XSS feature is the necessity of tricking a user from an attacker’s side – he or she must make the user follow a specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.

The malicious script can access to all cookies, session tokens, and other critical information stored by the browser and used for the interaction with a site. An attacker can gain access to the user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of the displayed site content.

VULNERABLE PACKAGES

SAP-CRMJAV 700
SAP-CRMJAV 701
SAP-CRMJAV 702
SAP-CRMJAV 731
SAP-CRMJAV 730
SAP-CRMJAV 732
SAP-CRMJAV 733
SAP-CRMJAV 754

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2478964

TECHNICAL DESCRIPTION

SAP CRM cr_b2b

SAP CRM cviews

SAP CRM entitlementinquiry

SAP CRM icss_b2b

SAP CRM icss_b2c

SAP CRM partnerregistration

SAP CRM sharedcatalog

SAP CRM b2b

SAP CRM bdisu

SAP CRM lwc

SAP CRM b2c

SAP CRM insp_b2b

SAP CRM shopadmin

SAP CRM catalogtool

SAP CRM imsadmin

SAP CRM catalog

SAP CRM ocitest

SAP CRM ipcpricing

SAP CRM isauseradm

SAP CRM avw

SAP CRM bd