usd-2023-0017 | XSS in SAP Partner Portal
Advisory ID: usd-2023-0017
Product: SAP Partner Portal
Vulnerability Type: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: HIGH
Vendor URL: https://partneredge.sap.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE number: Not assigned
CVE Link: Not assigned
In cases where users do not have sufficient permissions to view a specific URL within the SAP Partner Portal they are redirected to an error page.
During this redirection the requested URL is passed to the error page as a URL parameter and embedded into the error message without any filtering or encoding.
Proof of Concept
Filter and encode user input before embedding it into error messages.
- 2023-04-25: The vulnerability was identified by Nicolas Schickert.
- 2023-04-28: The responsible disclosure team submits vulnerability details via https://vulnerability-form.cfapps.sap.hana.ondemand.com/.
- 2023-05-11: XSS vulnerability was patched and confirmed to be fixed after a restest by Nicolas Schickert. However, some HTML-Tags still were not properly encoded, even though XSS was no longer possible.
- 2023-06-06: A Proof-of-Concept for inserting HTML Tags was sent to the SAP Security Team.
- 2023-06-12: SAP reports that the vulnerability is fixed and the reflected URL is now properly sanitized.
- 2023-09-25: Security advisory released by usd AG.
This security vulnerability was identified by Nicolas Schickert of usd AG.