usd AGThe #usdHeroLab analysts examined the #SAP Partner Portal while conducting their #pentests.
1โฃ Vulnerability Type: Improper Neutralization of Input During Web Page Generation #CWE79 #CrossSiteScripting
๐จ Security Risk: High
๐๐งต More details
In cases where users do not have sufficient permissions to view a specific URL within the #SAP Partner Portal, they get redirected to an error page. During this redirection, the requested URL is passed to the error message as a parameter without any filtering or encoding.
Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch #XSS attacks.
The vulnerability was reported to the vendor under the Responsible Disclosure Policy and subsequently fixed for #moresecurity. More information can be found here ๐ฉโ๐ป๐โ
https://herolab.usd.de/security-advisories/usd-2023-0017/