/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PreviewSymptom
An automated vulnerability scan returns a potential reflected XSS vulnerability against the PAGE_BUILDER (PAGE_BUILDER_PERS) service in the Fiori Launchpad, indicating that code can be injected into requests, then are returned and executed.
Example:
https://<server>:<port>/sap/opu/odata/UI2/PAGE_BUILDER_PERS/PageSets('%2FUI2%2FFiori2LaunchpadHome')?$expand=<img src=x onerror=alert(HI)>Pages/PageChipInstances/Chip/ChipBags/ChipProperties,Pages/PageChipInstances/RemoteCatalog,Pages/PageChipInstances/ChipInstanceBags/ChipInstanceProperties,AssignedPages,DefaultPage
would purportedly cause the browser to trigger an alert with the message "HI"
Read more...
Product
Keywords
PAGE_BUILDER_PERS, Pages, PageSets , KBA , CA-UI2-INT-BE , Please use CA-FLP-ABA , CA-FE-FLP-EU , Please use CA-FLP-FE-UI , CA-UI2-INT-FE , Please use CA-FLP-FE-COR , Problem
About this page
This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)