The flaws were discovered in versions 6.10, 6.20, 6.40 and 7.00, and affect the business service provider (BSP) runtime of the Web application server.
The firm that discovered the vulnerabilities, Cybsec SA, which has offices in Panama, Ecuador and Argentina, has given the flaws medium to high threat classifications. SAP was notified in September and had a patch developed last month. The patch is being released this week in coordination with the advisory, according to Leandro Meiners, a Cybsec researcher who discovered the flaws.
Left open, the flaws could allow an attacker to execute arbitrary HTML and script code in a user's browser. Users could be tricked into visiting a malicious Web site by following a link with a trusted host name, according to Cybsec.
The link "will logout the user from the application (sap-sessioncmd=close), even if not logged in, and redirect to the attacker site," Meiners said.
A partial fix to the vulnerabilities can be found in SAP Note 887323, which indicates which service packs to apply, according to Cybsec.
SAP is also advising customers in SAP Note 887322, to disable the sap-exiturl parameter in older 6.10 releases and 6.20 prior to service pack 54. In newer 6.20 and 7.00 releases, the parameter will be submitted to a customer-configured white list, according to the Cybsec advisory.
Cybsec SAP advisories: