{"id":20893,"date":"2023-09-26T13:05:30","date_gmt":"2023-09-26T11:05:30","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=20893"},"modified":"2023-11-08T11:08:40","modified_gmt":"2023-11-08T10:08:40","slug":"usd-2023-0017","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0017\/","title":{"rendered":"usd-2023-0017"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2023-0017 | XSS in SAP Partner Portal<\/h1>\n<h1><\/h1>\n<p><strong>Advisory ID<\/strong>: usd-2023-0017<br \/><strong>Product<\/strong>: SAP Partner Portal<br \/><strong>Vulnerability Type<\/strong>: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')<br \/><strong>Security Risk<\/strong>: HIGH<br \/><strong>Vendor URL<\/strong>: <a>https:\/\/partneredge.sap.com\/<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE number<\/strong>: Not assigned<br \/><strong>CVE Link<\/strong>: Not assigned<\/p>\n<h3>Description<\/h3>\n<p>In cases where users do not have sufficient permissions to view a specific URL within the SAP Partner Portal they are redirected to an error page.<br \/>During this redirection the requested URL is passed to the error page as a URL parameter and embedded into the error message without any filtering or encoding.<\/p>\n<p>Therefore it is possible to include HTML-Tags and JavaScript in the URL, making it possible for malicious actors to launch XSS attacks.<\/p>\n<h3>Proof of Concept<\/h3>\n<p>A proof of concept JavaScript-Alert-Box is shown with this URL:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span>https:\/\/partneredge.sap.com\/en\/errors\/not-authorized.html?deniedPage=https%3A%2F%2Fpartneredge.sap.com%3Cimg%20src=x%20onerror=alert(document.domain)%3Ea%2Fen%2F.html\n<\/pre>\n<\/div>\n<h3>Fix<\/h3>\n<p>Filter and encode user input before embedding it into error messages.<\/p>\n<h3>References<\/h3>\n<p><a>https:\/\/www.owasp.org\/index.php\/Cross-site_Scripting_(XSS)<\/a><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2023-04-25<\/strong>: The vulnerability was identified by Nicolas Schickert.<\/li>\n<li><strong>2023-04-28<\/strong>: The responsible disclosure team submits vulnerability details via <a>https:\/\/vulnerability-form.cfapps.sap.hana.ondemand.com\/.<\/a><\/li>\n<li><strong>2023-05-11<\/strong>: XSS vulnerability was patched and confirmed to be fixed after a restest by Nicolas Schickert. However, some HTML-Tags still were not properly encoded, even though XSS was no longer possible.<\/li>\n<li><strong>2023-06-06<\/strong>: A Proof-of-Concept for inserting HTML Tags was sent to the SAP Security Team.<\/li>\n<li><strong>2023-06-12<\/strong>: SAP reports that the vulnerability is fixed and the reflected URL is now properly sanitized.<\/li>\n<li><strong>2023-09-25<\/strong>: Security advisory released by usd AG.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p>This security vulnerability was identified by Nicolas Schickert of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2023-0017 | XSS in SAP Partner Portal Advisory ID: usd-2023-0017Product: SAP Partner PortalVulnerability Type: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Security Risk: HIGHVendor URL: https:\/\/partneredge.sap.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE number: Not assignedCVE Link: Not assigned Description In cases where users do not have sufficient permissions to view a specific URL [&hellip;]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-20893","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=20893"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20893\/revisions"}],"predecessor-version":[{"id":21301,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/20893\/revisions\/21301"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=20893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}