Details of VAR-201112-0274

ID

VAR-201112-0274

CVE

CVE-2011-4805

TITLE

SAP Crystal Report Server 2008 'pubDBLogon.jsp' Cross-Site Scripting Vulnerability

Trust: 0.8

sources: IVD: 54741eca-1f88-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3708

DESCRIPTION

Cross-site scripting (XSS) vulnerability in pubDBLogon.jsp in SAP Crystal Report Server 2008 allows remote attackers to inject arbitrary web script or HTML via the service parameter. SAP Crystal Reports Server 2008 is a comprehensive reporting solution that creates, manages, and delivers reports online or embedded in enterprise applications. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.61

sources: NVD: CVE-2011-4805 // JVNDB: JVNDB-2011-003371 // CNVD: CNVD-2011-3708 // BID: 49656 // IVD: 54741eca-1f88-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 54741eca-1f88-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3708

AFFECTED PRODUCTS

vendor:	sap	model:	crystal reports server	scope:	eq	version:	2008	Trust: 2.2
vendor:	sap	model:	crystal report server	scope:	eq	version:	2008	Trust: 0.8
vendor:	sap	model:	crystal reports server	scope:	eq	version:	20080	Trust: 0.3
vendor:	crystal reports server	model:	-	scope:	eq	version:	2008	Trust: 0.2

sources: IVD: 54741eca-1f88-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3708 // BID: 49656 // JVNDB: JVNDB-2011-003371 // CNNVD: CNNVD-201112-217 // NVD: CVE-2011-4805

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-4805
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2011-4805
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201112-217
value:	MEDIUM
Trust: 0.6
IVD:	54741eca-1f88-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2011-4805
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IVD:	54741eca-1f88-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 54741eca-1f88-11e6-abef-000c29c66e3d // JVNDB: JVNDB-2011-003371 // CNNVD: CNNVD-201112-217 // NVD: CVE-2011-4805

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2011-003371 // NVD: CVE-2011-4805

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201109-280 // CNNVD: CNNVD-201112-217

TYPE

XSS

Trust: 1.2

sources: CNNVD: CNNVD-201109-280 // CNNVD: CNNVD-201112-217

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003371

PATCH

title:	Top Page	url:	http://www.sap.com/	Trust: 0.8
title:	Patch for SAP Crystal Report Server 2008 'pubDBLogon.jsp' Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/5108	Trust: 0.6

sources: CNVD: CNVD-2011-3708 // JVNDB: JVNDB-2011-003371

EXTERNAL IDS

db:	NVD	id:	CVE-2011-4805	Trust: 2.9
db:	BID	id:	49656	Trust: 1.5
db:	CNVD	id:	CNVD-2011-3708	Trust: 0.8
db:	CNNVD	id:	CNNVD-201112-217	Trust: 0.8
db:	JVNDB	id:	JVNDB-2011-003371	Trust: 0.8
db:	CNNVD	id:	CNNVD-201109-280	Trust: 0.6
db:	BUGTRAQ	id:	20111117 [DSECRG-11-033] SAP CRYSTAL REPORT SERVER PUBDBLOGON - LINKED &OTILDE;SS VULNERABILITY	Trust: 0.6
db:	IVD	id:	54741ECA-1F88-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 54741eca-1f88-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-3708 // BID: 49656 // JVNDB: JVNDB-2011-003371 // CNNVD: CNNVD-201109-280 // CNNVD: CNNVD-201112-217 // NVD: CVE-2011-4805

REFERENCES

url:	http://dsecrg.com/pages/vul/show.php?id=333	Trust: 2.5
url:	https://service.sap.com/sap/support/notes/1562292	Trust: 1.9
url:	http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a	Trust: 1.6
url:	http://www.securityfocus.com/archive/1/520560/100/0/threaded	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4805	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4805	Trust: 0.8
url:	http://www.securityfocus.com/bid/49656	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/520560/100/0/threaded	Trust: 0.6
url:	http://www.sap.com/solutions/sap-crystal-solutions/query-reporting-analysis/sapcrystalreports/index.epx	Trust: 0.3

sources: CNVD: CNVD-2011-3708 // BID: 49656 // JVNDB: JVNDB-2011-003371 // CNNVD: CNNVD-201109-280 // CNNVD: CNNVD-201112-217 // NVD: CVE-2011-4805

CREDITS

Dmitriy Chastuchin, Digital Security Research Group

Trust: 0.9

sources: BID: 49656 // CNNVD: CNNVD-201109-280

SOURCES

db:	IVD	id:	54741eca-1f88-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-3708
db:	BID	id:	49656
db:	JVNDB	id:	JVNDB-2011-003371
db:	CNNVD	id:	CNNVD-201109-280
db:	CNNVD	id:	CNNVD-201112-217
db:	NVD	id:	CVE-2011-4805

LAST UPDATE DATE

2024-08-14T14:14:38.342000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-3708	date:	2011-09-19T00:00:00
db:	BID	id:	49656	date:	2011-12-15T19:38:00
db:	JVNDB	id:	JVNDB-2011-003371	date:	2011-12-16T00:00:00
db:	CNNVD	id:	CNNVD-201109-280	date:	2011-09-20T00:00:00
db:	CNNVD	id:	CNNVD-201112-217	date:	2011-12-14T00:00:00
db:	NVD	id:	CVE-2011-4805	date:	2018-10-09T19:33:35.027

SOURCES RELEASE DATE

db:	IVD	id:	54741eca-1f88-11e6-abef-000c29c66e3d	date:	2011-09-19T00:00:00
db:	CNVD	id:	CNVD-2011-3708	date:	2011-09-19T00:00:00
db:	BID	id:	49656	date:	2011-09-16T00:00:00
db:	JVNDB	id:	JVNDB-2011-003371	date:	2011-12-16T00:00:00
db:	CNNVD	id:	CNNVD-201109-280	date:	1900-01-01T00:00:00
db:	CNNVD	id:	CNNVD-201112-217	date:	2011-12-14T00:00:00
db:	NVD	id:	CVE-2011-4805	date:	2011-12-14T00:55:06.153