Details of VAR-201602-0119

ID

VAR-201602-0119

CVE

CVE-2016-2387

TITLE

SAP NetWeaver of Java Proxy Runtime ProxyServer Servlet cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-001578

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571. Vendors have confirmed this vulnerability SAP Security Note 2220571 It is released as.By any third party Web Script or HTML May be inserted

Trust: 1.62

sources: NVD: CVE-2016-2387 // JVNDB: JVNDB-2016-001578

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.40	Trust: 1.6
vendor:	sap	model:	netweaver	scope:	eq	version:	7.4	Trust: 0.8

sources: JVNDB: JVNDB-2016-001578 // CNNVD: CNNVD-201602-297 // NVD: CVE-2016-2387

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2387
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2016-2387
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201602-297
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-2387
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2016-2387
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.0

sources: JVNDB: JVNDB-2016-001578 // CNNVD: CNNVD-201602-297 // NVD: CVE-2016-2387

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2016-001578 // NVD: CVE-2016-2387

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-297

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201602-297

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001578

PATCH

title:	SAP Security Note 2220571	url:	http://scn.sap.com/docs/DOC-55451	Trust: 0.8
title:	SAP NetWeaver Fixes for cross-site scripting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60233	Trust: 0.6

sources: JVNDB: JVNDB-2016-001578 // CNNVD: CNNVD-201602-297

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2387	Trust: 2.4
db:	PACKETSTORM	id:	137045	Trust: 1.0
db:	JVNDB	id:	JVNDB-2016-001578	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-297	Trust: 0.6

sources: JVNDB: JVNDB-2016-001578 // CNNVD: CNNVD-201602-297 // NVD: CVE-2016-2387

REFERENCES

url:	https://erpscan.com/advisories/erpscan-16-008-sap-netweaver-7-4-proxyserver-servlet-xss-vulnerability/	Trust: 1.4
url:	https://erpscan.com/press-center/blog/sap-security-notes-february-2016-review/	Trust: 1.4
url:	http://packetstormsecurity.com/files/137045/sap-netweaver-as-java-7.4-cross-site-scripting.html	Trust: 1.0
url:	http://seclists.org/fulldisclosure/2016/may/39	Trust: 1.0
url:	https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/	Trust: 1.0
url:	https://erpscan.io/advisories/erpscan-16-008-sap-netweaver-7-4-proxyserver-servlet-xss-vulnerability/	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2387	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2387	Trust: 0.8

sources: JVNDB: JVNDB-2016-001578 // CNNVD: CNNVD-201602-297 // NVD: CVE-2016-2387

SOURCES

db:	JVNDB	id:	JVNDB-2016-001578
db:	CNNVD	id:	CNNVD-201602-297
db:	NVD	id:	CVE-2016-2387

LAST UPDATE DATE

2024-11-23T22:45:50.723000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2016-001578	date:	2016-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201602-297	date:	2016-02-17T00:00:00
db:	NVD	id:	CVE-2016-2387	date:	2024-11-21T02:48:21.987

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2016-001578	date:	2016-03-04T00:00:00
db:	CNNVD	id:	CNNVD-201602-297	date:	2016-02-17T00:00:00
db:	NVD	id:	CVE-2016-2387	date:	2016-02-16T15:59:01.117