Sign-up

ID

VAR-200908-0363


CVE

CVE-2009-2932


TITLE

SAP NetWeaver Application Server of UDDI Client cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-006252

DESCRIPTION

Cross-site scripting (XSS) vulnerability in uddiclient/process in the UDDI client in SAP NetWeaver Application Server (Java) 7.0 allows remote attackers to inject arbitrary web script or HTML via the TModel Key field. SAP NetWeaver Application Server is prone to an HTML-injection vulnerability because the application's UDDI client fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. This issue is documented by SAP Note 1322098. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: SAP NetWeaver Application Server UDDI Client Cross-Site Scripting SECUNIA ADVISORY ID: SA36228 VERIFY ADVISORY: http://secunia.com/advisories/36228/ DESCRIPTION: A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability is reported in SAP NetWeaver Application Server Java version 7.0. Other versions may also be affected. SOLUTION: Apply vendor patch (please see SAP note 1322098). https://service.sap.com/sap/support/notes/1322098 PROVIDED AND/OR DISCOVERED BY: Alexander Polyakov, Digital Security Research Group [DSecRG] ORIGINAL ADVISORY: http://www.dsecrg.com/pages/vul/show.php?id=133 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.98

sources: NVD: CVE-2009-2932 // JVNDB: JVNDB-2009-006252 // BID: 36034 // PACKETSTORM: 80345

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 2.4

vendor:sapmodel:netweaver application serverscope:eqversion:7.0

Trust: 0.3

sources: BID: 36034 // JVNDB: JVNDB-2009-006252 // CNNVD: CNNVD-200908-337 // NVD: CVE-2009-2932

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-2932
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-2932
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200908-337
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-2932
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-006252 // CNNVD: CNNVD-200908-337 // NVD: CVE-2009-2932

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2009-006252 // NVD: CVE-2009-2932

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200908-337

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 80345 // CNNVD: CNNVD-200908-337

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-006252

PATCH
title:NetWeaverurl:http://scn.sap.com/community/netweaver
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-006252

EXTERNAL IDS
db:NVDid:CVE-2009-2932
Trust: 2.4
db:BIDid:36034
Trust: 1.9
db:SECUNIAid:36228
Trust: 1.7
db:SECTRACKid:1022731
Trust: 1.6
db:OSVDBid:57000
Trust: 1.6
db:JVNDBid:JVNDB-2009-006252
Trust: 0.8
db:XFid:52429
Trust: 0.6
db:BUGTRAQid:20090812 [DSECRG-09-033] SAP NETWEAVER UDDI - XSS SECURITY VULNERABILITY
Trust: 0.6
db:CNNVDid:CNNVD-200908-337
Trust: 0.6
db:PACKETSTORMid:80345
Trust: 0.1
sources:
            
            
            BID: 36034 // 
            
            
            
            JVNDB: JVNDB-2009-006252 // 
            
            
            
            PACKETSTORM: 80345 // 
            
            
            
            CNNVD: CNNVD-200908-337 // 
            
            
            
            NVD: CVE-2009-2932

REFERENCES
url:http://www.dsecrg.com/pages/vul/show.php?id=133
Trust: 2.0
url:https://service.sap.com/sap/support/notes/1322098
Trust: 1.7
url:http://www.securitytracker.com/id?1022731
Trust: 1.6
url:http://www.securityfocus.com/bid/36034
Trust: 1.6
url:http://secunia.com/advisories/36228
Trust: 1.6
url:http://osvdb.org/57000
Trust: 1.6
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/52429
Trust: 1.0
url:http://www.securityfocus.com/archive/1/505697/100/0/threaded
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2932
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2932
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/52429
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/505697/100/0/threaded
Trust: 0.6
url:/archive/1/505697
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/36228/
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            BID: 36034 // 
            
            
            
            JVNDB: JVNDB-2009-006252 // 
            
            
            
            PACKETSTORM: 80345 // 
            
            
            
            CNNVD: CNNVD-200908-337 // 
            
            
            
            NVD: CVE-2009-2932

CREDITS
Alexander Polyakov
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200908-337

SOURCES
db:BIDid:36034
db:JVNDBid:JVNDB-2009-006252
db:PACKETSTORMid:80345
db:CNNVDid:CNNVD-200908-337
db:NVDid:CVE-2009-2932

LAST UPDATE DATE
2024-11-23T23:13:06.207000+00:00

SOURCES UPDATE DATE
db:BIDid:36034date:2009-08-21T15:55:00
db:JVNDBid:JVNDB-2009-006252date:2012-12-20T00:00:00
db:CNNVDid:CNNVD-200908-337date:2009-08-24T00:00:00
db:NVDid:CVE-2009-2932date:2024-11-21T01:06:05.630

SOURCES RELEASE DATE
db:BIDid:36034date:2009-08-12T00:00:00
db:JVNDBid:JVNDB-2009-006252date:2012-12-20T00:00:00
db:PACKETSTORMid:80345date:2009-08-15T10:26:49
db:CNNVDid:CNNVD-200908-337date:2009-08-21T00:00:00
db:NVDid:CVE-2009-2932date:2009-08-21T20:30:00.407