- 28 May 2008Advisories » SAP Internet Transaction Server "wgate.dll" Remote Cross-Site Scripting Vulnerability
| Release Date: | 08/05/2008 | Severity: | Less Critical  |
| SecWatch Advisory: | SWID1021131 | Cause: | Input validation error |
| Solution Status: | Vendor Patch | Impact: | Cross Site Scripting |
| Exploit Status: | None Available | Access Vector: | From remote |
| Affected Software: | SAP Internet Transaction Server (ITS) | ||
| Original Advisory: | http://www.portcullis-security.com/275.php |
||
| Secunia: | SA30128 | ||
Description:
A vulnerability in SAP Internet Transaction Server has been reported, which can be exploited by remote users to conduct cross-site scripting attacks.
An input validation error in wgate.dll reported in version 4620.2.0.323011 build 46B.323011 under CAN-2003-0749 has been reintroduced. This can be exploited to execute arbitrary script code in the security context of an affected website, as a result the code will be able to access any of the target user's cookies, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Affected:
SAP Internet Transaction Server wgate.dll version 6200.1017.50954.0 build 730827. Other versions may also be affected.
Solution:
The vendor has reportedly advised a solution and workaround is available via SAP note 1052053.
Credits:
Free Vulnerability Notification Service
Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.
Related Vulnerabilities and Exploits
04 Oct 06: SAP Internet Transaction Server Remote Cross-Site Scripting Vulne..