Details of VAR-201406-0154

ID

VAR-201406-0154

CVE

CVE-2014-4160

TITLE

SAP NetWeaver Business Client of testcanvas Node cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2014-002935

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the testcanvas node in SAP NetWeaver Business Client (NWBC) allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) sap-accessibility parameter. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2014-4160 // JVNDB: JVNDB-2014-002935 // BID: 67995

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver business client	scope:	eq	version:	-	Trust: 1.6
vendor:	sap	model:	netweaver business client	scope:	-	version:	-	Trust: 0.8
vendor:	sap	model:	netweaver business client	scope:	eq	version:	0	Trust: 0.3

sources: BID: 67995 // JVNDB: JVNDB-2014-002935 // CNNVD: CNNVD-201406-312 // NVD: CVE-2014-4160

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-4160
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-4160
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201406-312
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2014-4160
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2014-002935 // CNNVD: CNNVD-201406-312 // NVD: CVE-2014-4160

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2014-002935 // NVD: CVE-2014-4160

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201406-312

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201406-312

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-002935

PATCH

title:

SAP Security Note 1932505

url:

http://scn.sap.com/docs/DOC-8218

Trust: 0.8

sources: JVNDB: JVNDB-2014-002935

EXTERNAL IDS

db:	NVD	id:	CVE-2014-4160	Trust: 2.7
db:	BID	id:	67995	Trust: 1.3
db:	JVNDB	id:	JVNDB-2014-002935	Trust: 0.8
db:	CNNVD	id:	CNNVD-201406-312	Trust: 0.6

sources: BID: 67995 // JVNDB: JVNDB-2014-002935 // CNNVD: CNNVD-201406-312 // NVD: CVE-2014-4160

REFERENCES

url:	http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html	Trust: 2.4
url:	https://service.sap.com/sap/support/notes/1932505	Trust: 1.6
url:	http://scn.sap.com/docs/doc-8218	Trust: 1.6
url:	http://www.securityfocus.com/bid/67995	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-4160	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-4160	Trust: 0.8
url:	http://www.sap.com	Trust: 0.3

sources: BID: 67995 // JVNDB: JVNDB-2014-002935 // CNNVD: CNNVD-201406-312 // NVD: CVE-2014-4160

CREDITS

Enrico Milanese, Emaze Networks S.p.A.

Trust: 0.3

sources: BID: 67995

SOURCES

db:	BID	id:	67995
db:	JVNDB	id:	JVNDB-2014-002935
db:	CNNVD	id:	CNNVD-201406-312
db:	NVD	id:	CVE-2014-4160

LAST UPDATE DATE

2024-11-23T22:27:19.845000+00:00

SOURCES UPDATE DATE

db:	BID	id:	67995	date:	2014-06-18T00:03:00
db:	JVNDB	id:	JVNDB-2014-002935	date:	2014-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201406-312	date:	2014-08-26T00:00:00
db:	NVD	id:	CVE-2014-4160	date:	2024-11-21T02:09:36.747

SOURCES RELEASE DATE

db:	BID	id:	67995	date:	2014-05-28T00:00:00
db:	JVNDB	id:	JVNDB-2014-002935	date:	2014-06-17T00:00:00
db:	CNNVD	id:	CNNVD-201406-312	date:	2014-06-16T00:00:00
db:	NVD	id:	CVE-2014-4160	date:	2014-06-13T14:55:18.023