CVE-2010-2904

Name of the Vulnerable Software and Affected Versions SAP NetWeaver versions 6.4 through 7.02

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the System Landscape Directory (SLD) component. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the action parameter to testsdic and the helpstring parameter to paramhelp.jsp are vulnerable.

Recommendations For SAP NetWeaver versions 6.4 through 7.02, consider restricting access to the testsdic and paramhelp.jsp endpoints until a fix is available. As a temporary workaround, avoid using the action parameter in the testsdic endpoint and the helpstring parameter in the paramhelp.jsp endpoint.