Uploaded documents are displayed in SAP Fiori apps without further security-related checks. If a document contains malicious content, unintended actions could be triggered at the front end during download or display, which might lead to cross-site scripting vulnerabilities. Various SAP Fiori apps offer the possibility to upload or display documents. If you use one of these apps, you have to install an appropriate virus scanner and define sufficiently restrictive scan profiles to prevent upload of malicious content.
The virus scanner will reject all documents that are not compliant with the rules defined in the settings of the scan profile. These rules need to disallow dangerous MIME types (such as documents with active content like html or javascript).
The documents are checked with a scan profile before being stored in the Knowledge Provider (KPro). The following scan profiles are available for the SAP Fiori apps offering the possibility to upload or display documents:
Area | Scan Profile |
---|---|
Standard |
|
SAP Master Data Governance |
|
Note
For the SAP Fiori apps My Quotations
and Sales Order Fulfillment Monitor,
you can overrule the standard scan profile with the following settings (evaluated from top to bottom until a profile is found):
Value of parameter &GOS_VPROFILE
from memory id &GOS_VSI_PROFILE
Value of parameter &BCS_VPROFILE
from memory id &BCS_VSI_PROFILE
Value in field VALUE
for the record in table SXPARAMS
with key PARAM
= SO_VSI_PROFILE