[ERPSCAN-12-010] SAP TesContainerAdmin service – Stored XSS

DSECRG Advisories

Application: SAP Cfolders (included in: SAP SRM, SAP ECC, SAP Knowledge Management and SAP NetWeaver cRooms)
Vendor URL: http://sap.com
Bugs: Multiple Stored XSS
Risk: High
Exploits: YES
Reported: 13.05.2011
Vendor response: 14.05.2011
Date of Public Advisory: 20.01.2012
Reference: SAP Security Note 1591749

SAP NetWeaver contains a flaw in its Text Container Administration Application – Stored XSS vulnerability.

Business Risk
Legitimate user of SAP can insert a malicious script into SAP and gain unauthorized access to workstation of any user which will open the link.