When you call SAP E-Recruiting, one or several URL parameters are specified. If you use the URL parameters and change a parameter in a particular way, any JavaScript code can be executed.
For this purpose, proceed as follows:
Attach the character string "%27)%3balert(%27XSS%21%27)%3b%2f%2f" (without the quotation marks) to an URL parameter (for example rcfSpId=9000). When you start the application with this URL, you see that the JavaScript code was executed. A JavaScript Alert with the text "XSS!" is issued.
Other terms
XSS,
CL_HRRCF_BSP_EXT_FRAMEWORK,
<hrrcf_bsp_ext:frameWork>,
security gap,
JavaScript
Reason and Prerequisites
This problem is due to a program error.
Solution
Import the relevant Support Package or carry out the corrections in accordance with the correction instructions.
Affected Releases
|
Visit https://service.sap.com/sap/support/notes/957038 for Correction delivered in Support Package and Corrections Instructions
No comments:
Post a Comment