‘SAP WebAS ITS Mobile Start Service Multiple Vulnerabilities’


Multiple vulnerabilities were identified in SAP WebAS ITS Mobile Start Service.’


‘The information has been provided by Mariano Nu ez Di Croce.
The original article can be found at: http://seclists.org/bugtraq/2011/Apr/280


Vulnerable Systems:
 * SAP BASIS 640
 * SAP BASIS 700-702
 * SAP BASIS 710-730

It has been detected that the ITS Mobile Start service suffers from input validation vulnerabilities and design weaknesses, which can be exploited to perform XSS and arbitrary redirects attacks.

Further technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their systems and protect against the exploitation of the described vulnerability.

Patch Availability:
The patches can be downloaded from:

Disclosure Timeline:
2010-09-22: Vulnerability information to SAP.
2010-09-23: SAP confirms reception of vulnerability submission.
2011-01-11: SAP releases security patches.
2011-04-19: Security advisory to security mailing lists.’

Categories: News