SAP Knowledge Base Article - Preview

2222005 - XSS vulnerability in 'Message to purchaser' textbox in SUS

Symptom

While processing a purchase order response in SUS you are able to enter text that can be interpreted and executed as a script. For example:

 

XXX<>"'YYY</textarea><script>alert(23)</script><textarea>

 

After saving the document this script would trigger a popup each time the PO is accessed. Similarly a malicious script could be entered which could cause security issues when executed.


Read more...

Environment

  • SAP Supplier Relationship Management (SRM) 7.0 and higher
  • SAP enhancement package for SAP Supplier Relationship Management
  • Supplier Self Services (SUS)

Product

SAP Supplier Relationship Management 7.0 ; SAP Supplier Relationship Management 7.0 on SAP enhancement package 1 for SAP NetWeaver 7.0 ; SAP enhancement package for SAP Supplier Relationship Management all versions

Keywords

cross site scripting, BBP_PDH_XSS_REPLACE, long text parsing , KBA , xss_replace_on , bbpc_xss_replace , SRM-SUS , Supplier Self-Services , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.