SAP Knowledge Base Article - Public

3399974 - Vulnerability - HTML Injection on RMK site - Recruiting Marketing


HTML Injection via Security Misconfiguration TRACE


SAP SuccessFactors Recruiting Marketing

Reproducing the Issue

  1. Request the RMK website and change HTTP Method from GET to TRACE. Response says 405 meaning method should not allowed but response still allows TRACE.
  2. Send another TRACE request to " Notice the more verbose response.
  3. Inject arbitrary HTML code in "Cookie:" parameter and view the response.


According to Security team, TRACE itself isn't considered a security vulnerability as there's no sensitive data in response payload. This is not specific to RMK website as when checking against different sites using "curl" like and, the same information on SSL was returned.

They also informed that HTML injection using Cookie don't get saved and don't impact the subsequent messages.


rmk, vulnerability, html injection, trace, TRACE, curl, burpsuite , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , Problem


SAP SuccessFactors Recruiting all versions