SAP Note 1259414 - Cross Site Scripting:PCUI Stored JavaScript Vulnerability

Symptom

Any PCUI application offering document management functionality allowing attachment of a link or an URL (such as a link to a company website or a link to a product description) to a created business transaction does not perform adequate input validation. This field inappropriately allows JavaScript to be injected into the CRM content server that may be executed in any user's browser accessing sensitive content server data.


Other terms
Cross Site Scripting, XSS Support, PCUI, F4 Help


Reason and Prerequisites
The PCUI Framework does not perform adequate input validation with BSP application that allows a URL to be added as an attachment


Solution
Appropriate encoding mechanism have been added to prevent such attacks.Please implement the corrections attached.

Affected Releases

Software Component Release From Release To Release And subsequent SAP_ABA 70 700 700   BBPCRM 4.0 400 400

Correction delivered in Support Package

Support Packages Release Package Name BBPCRM 400 SAPKU40017 SAP_ABA 700 SAPKA70019

Corrections Instructions

Correction Instruction Valid from Valid to Software Component Last Modifcation 705882 700 700 SAP_ABA 07.11.2008  04:02:54 705881 400 400 BBPCRM 16.02.2009  06:34:08

Direct Link : https://service.sap.com/sap/support/notes/1259414