An automated vulnerability scan returns a potential reflected XSS vulnerability against the PAGE_BUILDER (PAGE_BUILDER_PERS) service in the Fiori Launchpad, indicating that code can be injected into requests, then are returned and executed.
https://<server>:<port>/sap/opu/odata/UI2/PAGE_BUILDER_PERS/PageSets('%2FUI2%2FFiori2LaunchpadHome')?$expand=<img src=x onerror=alert(HI)>Pages/PageChipInstances/Chip/ChipBags/ChipProperties,Pages/PageChipInstances/RemoteCatalog,Pages/PageChipInstances/ChipInstanceBags/ChipInstanceProperties,AssignedPages,DefaultPage
would purportedly cause the browser to trigger an alert with the message "HI"
PAGE_BUILDER_PERS, Pages, PageSets , KBA , CA-UI2-INT-BE , Please use CA-FLP-ABA , CA-FE-FLP-EU , Please use CA-FLP-FE-UI , CA-UI2-INT-FE , Please use CA-FLP-FE-COR , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.