Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: bx2728.htm

SAP Netweaver 6.40-7.0 Cross-Site-Scripting
SAP Netweaver 6.40-7.0 Cross-Site-Scripting
SAP Netweaver 6.40-7.0 Cross-Site-Scripting

Title:          SAP Netweaver 6.40-7.0 Persistent Cross-Site-Scripting

Author:                 Jaime Blasco (at)

Description:    SAP Netweaver have a web interface for accesing filesystem of the portal, users can make "feedbacks" of
                files, input passed to the content of these feedbacks is not properly sanitised before being returned to the user.
                This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site

Solution:       This issue can be solved activating "Secure Editing" in Portal
(System Configuration -> System Configuration -> Knowledge management (in detailed Navigation) -> Utilities -> Editing -> HTML Editing)

Hence this issue can be solved via configuration - for more details see

NetWeaver 04 (6.40) SP17:
NetWeaver 7.0 SP8:
As of NetWeaver 7.0 SP15 the secure editor is on by default (SAP note 1110597:


* March 11: Initial contact.
* March 12: Confirmed
* April 5: Vendor response

Original Advisory:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH