Details of VAR-201601-0535

ID

VAR-201601-0535

CVE

CVE-2016-1911

TITLE

SAP NetWeaver Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2016-001074

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) Runtime Workbench (RWB) or (2) Pmitest servlet in the Process Monitoring Infrastructure (PMI), aka SAP Security Notes 2206793 and 2234918. SAP NetWeaver Contains a cross-site scripting vulnerability. Vendors have confirmed this vulnerability SAP Security Note 2206793 and 2234918 It is released as.By any third party Web Script or HTML May be inserted. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2016-1911 // JVNDB: JVNDB-2016-001074 // BID: 80909

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	eq	version:	7.4	Trust: 1.1

sources: BID: 80909 // JVNDB: JVNDB-2016-001074 // CNNVD: CNNVD-201601-343 // NVD: CVE-2016-1911

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1911
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-1911
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201601-343
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-1911
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2016-1911
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0

sources: JVNDB: JVNDB-2016-001074 // CNNVD: CNNVD-201601-343 // NVD: CVE-2016-1911

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2016-001074 // NVD: CVE-2016-1911

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-343

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201601-343

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001074

PATCH

title:	SAP Security Notes January 2016 - Review (2206793/2234918)	url:	http://scn.sap.com/community/security/blog/2016/01/12/sap-security-notes-january-2016-review	Trust: 0.8
title:	SAP NetWeaver Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59661	Trust: 0.6

sources: JVNDB: JVNDB-2016-001074 // CNNVD: CNNVD-201601-343

EXTERNAL IDS

db:	NVD	id:	CVE-2016-1911	Trust: 2.7
db:	JVNDB	id:	JVNDB-2016-001074	Trust: 0.8
db:	CNNVD	id:	CNNVD-201601-343	Trust: 0.6
db:	BID	id:	80909	Trust: 0.3

sources: BID: 80909 // JVNDB: JVNDB-2016-001074 // CNNVD: CNNVD-201601-343 // NVD: CVE-2016-1911

REFERENCES

url:	http://erpscan.com/advisories/erpscan-16-001-xss-sap-netweaver-7-4-mdt-servlet/	Trust: 1.7
url:	http://erpscan.com/advisories/erpscan-16-004-sap-netweaver-7-4-pmitest-servlet-xss/	Trust: 1.7
url:	https://erpscan.io/advisories/erpscan-16-001-xss-sap-netweaver-7-4-mdt-servlet/	Trust: 1.0
url:	http://seclists.org/fulldisclosure/2016/apr/58	Trust: 1.0
url:	http://seclists.org/fulldisclosure/2016/apr/64	Trust: 1.0
url:	https://erpscan.io/advisories/erpscan-16-004-sap-netweaver-7-4-pmitest-servlet-xss/	Trust: 1.0
url:	https://erpscan.io/press-center/blog/sap-security-notes-january-2016-review/	Trust: 1.0
url:	http://erpscan.com/press-center/blog/sap-security-notes-january-2016-review/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1911	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1911	Trust: 0.8
url:	http://scn.sap.com/community/security/blog/2016/01/12/sap-security-patch-day--january-2016	Trust: 0.3

sources: BID: 80909 // JVNDB: JVNDB-2016-001074 // CNNVD: CNNVD-201601-343 // NVD: CVE-2016-1911

CREDITS

ERPSCAN

Trust: 0.3

sources: BID: 80909

SOURCES

db:	BID	id:	80909
db:	JVNDB	id:	JVNDB-2016-001074
db:	CNNVD	id:	CNNVD-201601-343
db:	NVD	id:	CVE-2016-1911

LAST UPDATE DATE

2024-11-23T21:43:25.018000+00:00

SOURCES UPDATE DATE

db:	BID	id:	80909	date:	2016-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-001074	date:	2016-01-21T00:00:00
db:	CNNVD	id:	CNNVD-201601-343	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-1911	date:	2024-11-21T02:47:20.237

SOURCES RELEASE DATE

db:	BID	id:	80909	date:	2016-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-001074	date:	2016-01-21T00:00:00
db:	CNNVD	id:	CNNVD-201601-343	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-1911	date:	2016-01-15T20:59:02.957