SAP Note 1267878 - Cross-site scripting error in BBP_POC

Symptom

You are using transaction BBP_POC (Create Purchase Order). On the initial screen, you choose the "Create" button. In the "Purchase Order Name" field, you then enter "..."..." (that is, a double quotation mark), for example. After you trigger any action in this transaction, the text disappears behind the double quotation mark. This may be used for cross-site scripting.


Other terms
XSS


Reason and Prerequisites
This problem is caused by a program error in the template.


Solution
Import the relevant Support Package or implement the corrections. To find out in which Support Package the error is corrected, see the overview below.

Manual corrections in SRM 4.0: See Note 1104301 (you require at least SAPKB64013).

Affected Releases

Software Component Release From Release To Release And subsequent SRM_SERVER 500 500 500   SRM_SERVER 550 550 550

Correction delivered in Support Package

Support Packages Release Package Name SRM_SERVER 500 SAPKIBKS15 SRM_SERVER 550 SAPKIBKT14

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 699454 550 550 SRM_SERVER 29.10.2008  14:37:39 699455 500 500 SRM_SERVER 29.10.2008  14:43:47

Direct Link : https://service.sap.com/sap/support/notes/1267878