Sign-up

ID

VAR-201311-0362


CVE

CVE-2013-6816


TITLE

SAP NetWeaver of JavaDumpService and DataCollector Servlet cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-005195

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the (1) JavaDumpService and (2) DataCollector servlets in SAP NetWeaver allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. Since some unknown input related to the JavaDumpService servlet and the DataCollector servlet is not properly filtered before being returned to the user, the attacker can exploit the vulnerability to execute arbitrary HTML and script code in the user's browser session of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 3.33

sources: NVD: CVE-2013-6816 // JVNDB: JVNDB-2013-005195 // CNVD: CNVD-2013-14588 // CNVD: CNVD-2013-14602 // BID: 63788 // IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d // IVD: afafec56-1efc-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.6

sources: IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d // IVD: afafec56-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14588 // CNVD: CNVD-2013-14602

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaverscope: - version: -

Trust: 1.4

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

vendor:netweavermodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d // IVD: afafec56-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14588 // CNVD: CNVD-2013-14602 // BID: 63788 // JVNDB: JVNDB-2013-005195 // CNNVD: CNNVD-201311-287 // NVD: CVE-2013-6816

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-6816
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-6816
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2013-14588
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-14602
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201311-287
value: MEDIUM

Trust: 0.6

IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

IVD: afafec56-1efc-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

nvd@nist.gov: CVE-2013-6816
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2013-14588
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2013-14602
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: afafec56-1efc-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

sources: IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d // IVD: afafec56-1efc-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-14588 // CNVD: CNVD-2013-14602 // JVNDB: JVNDB-2013-005195 // CNNVD: CNNVD-201311-287 // NVD: CVE-2013-6816

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2013-005195 // NVD: CVE-2013-6816

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201311-287

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201311-287

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-005195

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:Patch for SAP Netweaver DataCollector and JavaDumpService Servlets Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/41194
Trust: 0.6
title:Patches for multiple cross-site scripting vulnerabilities in SAP Netweaver DataCollector and JavaDumpService Servletsurl:https://www.cnvd.org.cn/patchInfo/show/41225
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2013-14588 // 
            
            
            
            CNVD: CNVD-2013-14602 // 
            
            
            
            JVNDB: JVNDB-2013-005195

EXTERNAL IDS
db:NVDid:CVE-2013-6816
Trust: 3.5
db:SECUNIAid:55777
Trust: 2.8
db:BIDid:63788
Trust: 0.9
db:CNVDid:CNVD-2013-14588
Trust: 0.8
db:CNVDid:CNVD-2013-14602
Trust: 0.8
db:CNNVDid:CNNVD-201311-287
Trust: 0.8
db:JVNDBid:JVNDB-2013-005195
Trust: 0.8
db:IVDid:DADD0DDC-1EFC-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:IVDid:AFAFEC56-1EFC-11E6-ABEF-000C29C66E3D
Trust: 0.2
sources:
            
            
            IVD: dadd0ddc-1efc-11e6-abef-000c29c66e3d // 
            
            
            
            IVD: afafec56-1efc-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2013-14588 // 
            
            
            
            CNVD: CNVD-2013-14602 // 
            
            
            
            BID: 63788 // 
            
            
            
            JVNDB: JVNDB-2013-005195 // 
            
            
            
            CNNVD: CNNVD-201311-287 // 
            
            
            
            NVD: CVE-2013-6816

REFERENCES
url:http://secunia.com/advisories/55777
Trust: 2.2
url:https://service.sap.com/sap/support/notes/1828801
Trust: 2.2
url:http://erpscan.com/advisories/erpscan-13-018-sap-netweaver-servlet-javadumpservice-multiple-xss/
Trust: 2.0
url:http://erpscan.com/advisories/erpscan-13-019-sap-netweaver-servlet-datacollector-multiple-xss/
Trust: 2.0
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:https://erpscan.io/advisories/erpscan-13-019-sap-netweaver-servlet-datacollector-multiple-xss/
Trust: 1.0
url:https://erpscan.io/advisories/erpscan-13-018-sap-netweaver-servlet-javadumpservice-multiple-xss/
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6816
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-6816
Trust: 0.8
url:http://secunia.com/advisories/55777/
Trust: 0.6
url:http://www.sap.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2013-14588 // 
            
            
            
            CNVD: CNVD-2013-14602 // 
            
            
            
            BID: 63788 // 
            
            
            
            JVNDB: JVNDB-2013-005195 // 
            
            
            
            CNNVD: CNNVD-201311-287 // 
            
            
            
            NVD: CVE-2013-6816

CREDITS
Dmitry Evdokimov of ERPScan.
Trust: 0.3
sources:
            
            
            BID: 63788

SOURCES
db:IVDid:dadd0ddc-1efc-11e6-abef-000c29c66e3d
db:IVDid:afafec56-1efc-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2013-14588
db:CNVDid:CNVD-2013-14602
db:BIDid:63788
db:JVNDBid:JVNDB-2013-005195
db:CNNVDid:CNNVD-201311-287
db:NVDid:CVE-2013-6816

LAST UPDATE DATE
2024-11-23T22:49:33.260000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2013-14588date:2013-11-21T00:00:00
db:CNVDid:CNVD-2013-14602date:2013-11-22T00:00:00
db:BIDid:63788date:2013-11-21T00:27:00
db:JVNDBid:JVNDB-2013-005195date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-287date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6816date:2024-11-21T01:59:45.750

SOURCES RELEASE DATE
db:IVDid:dadd0ddc-1efc-11e6-abef-000c29c66e3ddate:2013-11-21T00:00:00
db:IVDid:afafec56-1efc-11e6-abef-000c29c66e3ddate:2013-11-22T00:00:00
db:CNVDid:CNVD-2013-14588date:2013-11-21T00:00:00
db:CNVDid:CNVD-2013-14602date:2013-11-22T00:00:00
db:BIDid:63788date:2013-10-30T00:00:00
db:JVNDBid:JVNDB-2013-005195date:2013-11-21T00:00:00
db:CNNVDid:CNNVD-201311-287date:2013-11-22T00:00:00
db:NVDid:CVE-2013-6816date:2013-11-20T14:12:30.930