Sign-up

ID

VAR-201402-0241


CVE

CVE-2014-1965


TITLE

SAP NetWeaver for SAP Exchange Infrastructure Component cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-001415

DESCRIPTION

Cross-site scripting (XSS) vulnerability in ISpeakAdapter in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component 3.0, 7.00 through 7.02, and 7.10 through 7.11 for SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to PIP. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. Portal handles the vulnerability of WebDyn Pro and can leak path information. 2, the message server has an unspecified error, allowing the attacker to exploit the vulnerability to crash the server. 3. The relevant DIR error input lacks filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. 4. Some of the relevant ISpeakAdapter inputs lack filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. A remote attacker can exploit a vulnerability to get sensitive information or crash an application. SAP NetWeaver is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. Multiple cross-site scripting vulnerabilities 3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.43

sources: NVD: CVE-2014-1965 // JVNDB: JVNDB-2014-001415 // CNVD: CNVD-2014-01007 // BID: 65547

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2014-01007

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.11

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:7.0

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:3.0

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:for sap exchange infrastructure (bc-xi) 3.0

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:for sap exchange infrastructure (bc-xi) 7.00 to 7.02

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:for sap exchange infrastructure (bc-xi) 7.10 to 7.11

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.x

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: CNVD: CNVD-2014-01007 // BID: 65547 // JVNDB: JVNDB-2014-001415 // CNNVD: CNNVD-201402-208 // NVD: CVE-2014-1965

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-1965
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-1965
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2014-01007
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201402-208
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2014-1965
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2014-01007
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2014-01007 // JVNDB: JVNDB-2014-001415 // CNNVD: CNNVD-201402-208 // NVD: CVE-2014-1965

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2014-001415 // NVD: CVE-2014-1965

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201402-208

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201402-208

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-001415

PATCH
title:Top Pageurl:http://www.sap.com/index.html
Trust: 0.8
title:SAP NetWeaver has multiple vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/43676
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            JVNDB: JVNDB-2014-001415

EXTERNAL IDS
db:NVDid:CVE-2014-1965
Trust: 3.0
db:SECUNIAid:56947
Trust: 1.6
db:BIDid:65547
Trust: 0.9
db:JVNDBid:JVNDB-2014-001415
Trust: 0.8
db:CNVDid:CNVD-2014-01007
Trust: 0.6
db:CNNVDid:CNNVD-201402-208
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            BID: 65547 // 
            
            
            
            JVNDB: JVNDB-2014-001415 // 
            
            
            
            CNNVD: CNNVD-201402-208 // 
            
            
            
            NVD: CVE-2014-1965

REFERENCES
url:http://erpscan.com/advisories/erpscan-14-006-sap-netweaver-pip-xss/
Trust: 2.0
url:https://service.sap.com/sap/support/notes/1442517
Trust: 1.6
url:http://www.stechno.net/sap-notes.html?view=sapnote&id=1442517
Trust: 1.6
url:http://secunia.com/advisories/56947
Trust: 1.6
url:https://erpscan.io/advisories/erpscan-14-006-sap-netweaver-pip-xss/
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/91094
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1965
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1965
Trust: 0.8
url:http://erpscan.com/advisories/erpscan-14-001-sap-netweaver-message-server-dos/
Trust: 0.6
url:http://erpscan.com/advisories/erpscan-14-002-sap-portal-webdynpro-path-disclosure/
Trust: 0.6
url:http://erpscan.com/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/
Trust: 0.6
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2014-01007 // 
            
            
            
            BID: 65547 // 
            
            
            
            JVNDB: JVNDB-2014-001415 // 
            
            
            
            CNNVD: CNNVD-201402-208 // 
            
            
            
            NVD: CVE-2014-1965

CREDITS
Alexander Polyakov, George Nosenko and Dmitry Chastukhin
Trust: 0.3
sources:
            
            
            BID: 65547

SOURCES
db:CNVDid:CNVD-2014-01007
db:BIDid:65547
db:JVNDBid:JVNDB-2014-001415
db:CNNVDid:CNNVD-201402-208
db:NVDid:CVE-2014-1965

LAST UPDATE DATE
2024-11-23T22:23:07.784000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2014-01007date:2014-02-18T00:00:00
db:BIDid:65547date:2014-02-01T00:00:00
db:JVNDBid:JVNDB-2014-001415date:2014-02-19T00:00:00
db:CNNVDid:CNNVD-201402-208date:2014-02-18T00:00:00
db:NVDid:CVE-2014-1965date:2024-11-21T02:05:22.077

SOURCES RELEASE DATE
db:CNVDid:CNVD-2014-01007date:2014-02-18T00:00:00
db:BIDid:65547date:2014-02-01T00:00:00
db:JVNDBid:JVNDB-2014-001415date:2014-02-19T00:00:00
db:CNNVDid:CNNVD-201402-208date:2014-02-18T00:00:00
db:NVDid:CVE-2014-1965date:2014-02-14T15:55:07.830