‘SAP WebAS ITS Mobile Start Service Multiple Vulnerabilities’
‘The information has been provided by Mariano Nu ez Di Croce.
The original article can be found at: http://seclists.org/bugtraq/2011/Apr/280‘
* SAP BASIS 640
* SAP BASIS 700-702
* SAP BASIS 710-730
It has been detected that the ITS Mobile Start service suffers from input validation vulnerabilities and design weaknesses, which can be exploited to perform XSS and arbitrary redirects attacks.
Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability.
The patches can be downloaded from:
2010-09-22: Vulnerability information to SAP.
2010-09-23: SAP confirms reception of vulnerability submission.
2011-01-11: SAP releases security patches.
2011-04-19: Security advisory to security mailing lists.’