http://www.dsecrg.com/pages/vul/show.php?id=133

Digital Security Research Group [DSecRG] Advisory       #DSECRG-09-033

Application:                    SAP NetWeaver Application Server (Java)         
Versions Affected:              Version 7.0 
Vendor URL:                     http://SAP.com
Bugs:                           XSS
Exploits:                       YES
Reported:                       18.03.2009
Vendor response:                19.03.2009
Date of Public Advisory:        11.08.2009
CVE-number:                
Author:                         Alexander Polyakov 
                                Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Description
***********
SAP NetWeaver Application Server (Java) system has Linked XSS security vulnerability in UDDI client.

Details
*******

Linked XSS vulnerability in UDDI client.
vulnerability found in page /uddiclient/process
vulnerable field  "TModel Key"

Example
*******

aa"><img/src=javascript:alert('dsecrg xss')>

Fix Information
***************
The issue has been solved. See SAP note 1322098.

References:
***********
SAP note 1322098
https://service.sap.com/sap/support/notes/1322098

DSecRG-09-033
http://www.dsecrg.com/pages/vul/show.php?id=133

About
*****
Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

Contact:        research [at] dsecrg [dot] com
                http://www.dsecrg.com

Polyakov Alexandr
Chief Information Security Analyst