WebDynpro application could be abused by a malicious user, who could modify displayed application content without authorization and potentially obtain authentication information from other legitimate users..
The WebDynpro Framework do not sufficiently encode input parameters, resulting in a reflected cross-site scripting issue. A reflected cross-site scripting attack can be used to non-permanently deface or modify displayed content from a web site. Reflected cross-site scripting can be used to steal another user's authentication information, such as data relating to their current session. An attacker who gains access to this data could use it to impersonate the user and access all information with the same rights as the target user. If an administrator is impersonated, the application's security could be fully compromised.
The issue described above will be fixed by a WebDynpro for Java patch.
In section "SP Patch Level" you can find information which patches contain the respective correction.
Please install this patch or a newer one (WD-RUNTIME and FRAMEWORK patches are always cumulative).
If the section "SP Patch Level" is not available or the information about which patch contains the correction is missing, this means that this has not been determined, yet. In this case please re-check this note at a later point of time.
Downloading WebDynpro for Java Patches
All WebDynpro for Java patches are available on SAP Service Marketplace.
Note 330793 explains how to download patches from SAP Service Marketplace.
Note 1395865 explains how to find the Web Dynpro for Java related SCAs.
Update your system via JSPM.
Please refer below to the official documentation for JSPM
NW04 / NW 6.40
The patch for this release will be in SAR file, extract them to get SDA's. Further sda's can be deployed using JSPM.
NW 7.00 / NW7.10 / NW7.11 / NW 7.20
The patch for this release will be SCA's. Deploy the sca's directly using JSPM.
From WebDynpro perspective, we recommend you to apply both WD-RUNTIME.SCA and FRAMEWORK.SCA. So if any one of the archive is not mentioned in the 'SP Patch Level' tab, it is recommended to apply the same which is available in the service market place.
Due to the fact that many of the SDAs included in the SCA are offline deployment, the engine is restarted during the deployment. An update is only required on the engine.
The required time depends on whether the engine has to be restarted. In addition, the time required for the restart is determined by the applications installed on the engine.