Sign-up

ID

VAR-201402-0240


CVE

CVE-2014-1964


TITLE

SAP NetWeaver of Exchange Infrastructure Component cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001414

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. Portal handles the vulnerability of WebDyn Pro and can leak path information. 2, the message server has an unspecified error, allowing the attacker to exploit the vulnerability to crash the server. 3. 4. Some of the relevant ISpeakAdapter inputs lack filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. A remote attacker can exploit a vulnerability to get sensitive information or crash an application. SAP NetWeaver is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. Multiple cross-site scripting vulnerabilities 3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.43

sources: NVD: CVE-2014-1964 // JVNDB: JVNDB-2014-001414 // CNVD: CNVD-2014-01007 // BID: 65547

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01007

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaver exchange infrastructure \scope:eqversion: -

Trust: 1.6

vendor:sapmodel:netweaverscope: - version: -

Trust: 0.8

vendor:sapmodel:netweaver exchange infrastructurescope: - version: -

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2014-01007 // BID: 65547 // JVNDB: JVNDB-2014-001414 // CNNVD: CNNVD-201402-207 // NVD: CVE-2014-1964

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1964
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1964
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-01007
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201402-207
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-1964
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01007
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2014-01007 // JVNDB: JVNDB-2014-001414 // CNNVD: CNNVD-201402-207 // NVD: CVE-2014-1964

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2014-001414 // NVD: CVE-2014-1964

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-207

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-207

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001414

PATCH
title:Acknowledgments to Security Researchersurl:http://scn.sap.com/docs/DOC-8218
Trust: 0.8
title:SAP NetWeaver has multiple vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/43676
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            JVNDB: JVNDB-2014-001414

EXTERNAL IDS
db:NVDid:CVE-2014-1964
Trust: 3.0
db:SECUNIAid:56947
Trust: 1.6
db:BIDid:65547
Trust: 0.9
db:JVNDBid:JVNDB-2014-001414
Trust: 0.8
db:CNVDid:CNVD-2014-01007
Trust: 0.6
db:CNNVDid:CNNVD-201402-207
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            BID: 65547 // 
            
            
            
            JVNDB: JVNDB-2014-001414 // 
            
            
            
            CNNVD: CNNVD-201402-207 // 
            
            
            
            NVD: CVE-2014-1964

REFERENCES
url:http://erpscan.com/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/
Trust: 2.0
url:https://service.sap.com/sap/support/notes/1788080
Trust: 1.6
url:http://secunia.com/advisories/56947
Trust: 1.6
url:http://scn.sap.com/docs/doc-8218
Trust: 1.6
url:https://erpscan.io/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/91095
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1964
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1964
Trust: 0.8
url:http://erpscan.com/advisories/erpscan-14-001-sap-netweaver-message-server-dos/
Trust: 0.6
url:http://erpscan.com/advisories/erpscan-14-002-sap-portal-webdynpro-path-disclosure/
Trust: 0.6
url:http://erpscan.com/advisories/erpscan-14-006-sap-netweaver-pip-xss/
Trust: 0.6
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            BID: 65547 // 
            
            
            
            JVNDB: JVNDB-2014-001414 // 
            
            
            
            CNNVD: CNNVD-201402-207 // 
            
            
            
            NVD: CVE-2014-1964

CREDITS
Alexander Polyakov, George Nosenko and Dmitry Chastukhin
Trust: 0.3
sources:
            
            
            BID: 65547

SOURCES
db:CNVDid:CNVD-2014-01007
db:BIDid:65547
db:JVNDBid:JVNDB-2014-001414
db:CNNVDid:CNNVD-201402-207
db:NVDid:CVE-2014-1964

LAST UPDATE DATE
2024-11-23T22:23:07.816000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-01007date:2014-02-18T00:00:00
db:BIDid:65547date:2014-02-01T00:00:00
db:JVNDBid:JVNDB-2014-001414date:2014-02-19T00:00:00
db:CNNVDid:CNNVD-201402-207date:2014-02-18T00:00:00
db:NVDid:CVE-2014-1964date:2024-11-21T02:05:21.933

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-01007date:2014-02-18T00:00:00
db:BIDid:65547date:2014-02-01T00:00:00
db:JVNDBid:JVNDB-2014-001414date:2014-02-19T00:00:00
db:CNNVDid:CNNVD-201402-207date:2014-02-18T00:00:00
db:NVDid:CVE-2014-1964date:2014-02-14T15:55:07.563