Product<\/strong>: SAP Fiori - My Travel and Expenses
Affected Version<\/strong>: Component Version: EA-HR 608 0117, Support Package: SAPK-608B7INEAHR
Vulnerability Type<\/strong>: CWE-862: Missing Authorization
Security Risk<\/strong>: Medium CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:U\/C:L\/I:L\/A:L
Vendor URL<\/strong>: https:\/\/www.sap.com<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE number<\/strong>: CVE-2024-32731
CVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-32731<\/a><\/p>\n
Affected Component(s)<\/h3>\n
SAP Fiori - My Travel and Expenses https:\/\/fioriappslibrary.hana.ondemand.com\/sap\/fix\/externalViewer\/#\/detail\/Apps('F0584')\/W10<\/a><\/p>\n In business trip requests, there is the option to upload attachments. Through the OData backend, users have access to all attachments as long as they are aware of the respective attachment IDs. Uploaded files can be retrieved with the following server request:<\/p>\n For example, if it's a PDF, the server will return the PDF:<\/p>\n As seen in line 6 of the request, Basic Auth can be utilized for user authentication. In this scenario, it is possible for another user, who is not the owner of the file, to access it as long as they know the ID. However, it's worth noting that these IDs are not easily enumerable.<\/p>\n Nevertheless, if the application accepts the upload of various file formats, it is possible to upload an HTML file with embedded JavaScript code and then send the link to any user. If the victim clicks on the link, it may result in the execution of the JavaScript code in the context of the victim.<\/p>\n If the session cookie is not adequately protected, this could additionally lead to the compromise of the active session.<\/p>\n In the following screenshot, a HTML file is being invoked. The file contains the following content:<\/p>\n It is recommended to restrict access to sensitive functions or information by default. https:\/\/cwe.mitre.org\/data\/definitions\/862.html<\/a><\/p>\nDesciption<\/h3>\n
If arbitrary file formats are accepted, for instance, HTML files with embedded JavaScript code can be uploaded. If a malicious user manages to persuade another person to click on the attachment link, it could lead to a reflected XSS, causing the JavaScript code within it to execute in the context of the invoking user.<\/p>\nProof of Concept<\/h3>\n
<\/span>GET<\/span> \/sap\/opu\/odata\/sap\/ZTV_TRQ_SRV\/Attachments('002049130000050945__FOL32000000000004EXT48000000004962______')\/$value<\/span> HTTP<\/span>\/<\/span>2
<\/span>Host<\/span>:<\/span> <sap-fiori-host>
<\/span>User-Agent<\/span>:<\/span> python-requests\/2.31.0
<\/span>Accept-Encoding<\/span>:<\/span> gzip, deflate, br
<\/span>Accept<\/span>:<\/span> *\/*
<\/span>Authorization<\/span>:<\/span> Basic [REDACTED]<\/span><\/pre>\n<\/div>\n<\/span>HTTP<\/span>\/<\/span>2<\/span> 200<\/span> OK<\/span>[...]<\/span>%PDF-1.4[...]<\/pre>\n<\/div>\n<\/span><html><\/span> <\/span><body><\/span> <\/span><script><\/span>alert(document.cookie)<\/script><\/span> <\/span><\/body><\/span><\/html><\/span><\/pre>\n<\/div>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2024\/08\/xss.png\")
<\/p>\nFix<\/h3>\n
Required access privileges should be granted explicitly by a global access control mechanism.<\/p>\nReferences<\/h3>\n
Timeline<\/h3>\n