Sign-up

ID

VAR-201707-0531


CVE

CVE-2017-11458


TITLE

SAP NetWeaver AS JAVA Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-006731

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol servlet in SAP NetWeaver AS JAVA 7.3 allows remote attackers to inject arbitrary web script or HTML via the sessionID parameter, aka SAP Security Note 2406783. Vendors have confirmed this vulnerability SAP Security Note 2406783 It is released as.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2017-11458 // JVNDB: JVNDB-2017-006731 // BID: 97566

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server javascope:eqversion:7.30

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.3

Trust: 0.9

vendor:sapmodel:netweaverscope:eqversion:as java 7.3

Trust: 0.8

vendor:sapmodel:netweaver as javascope:eqversion:7.30

Trust: 0.3

sources: BID: 97566 // JVNDB: JVNDB-2017-006731 // CNNVD: CNNVD-201707-871 // NVD: CVE-2017-11458

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-11458
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-11458
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201707-871
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-11458
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2017-11458
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2017-11458
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2017-11458
baseSeverity: MEDIUM
baseScore: 5.4
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2017-006731 // CNNVD: CNNVD-201707-871 // NVD: CVE-2017-11458

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-006731 // NVD: CVE-2017-11458

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201707-871

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201707-871

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-006731

PATCH
title:April 2017 (2406783)url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/
Trust: 0.8
title:SAP NetWeaver AS JAVA Repair measures for cross-site scripting security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=148142
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-006731 // 
            
            
            
            CNNVD: CNNVD-201707-871

EXTERNAL IDS
db:NVDid:CVE-2017-11458
Trust: 2.7
db:BIDid:97566
Trust: 1.9
db:JVNDBid:JVNDB-2017-006731
Trust: 0.8
db:CNNVDid:CNNVD-201707-871
Trust: 0.6
sources:
            
            
            BID: 97566 // 
            
            
            
            JVNDB: JVNDB-2017-006731 // 
            
            
            
            CNNVD: CNNVD-201707-871 // 
            
            
            
            NVD: CVE-2017-11458

REFERENCES
url:http://www.securityfocus.com/bid/97566
Trust: 1.6
url:https://erpscan.io/advisories/erpscan-17-017-sap-netweaver-java-7-3-java-xss-ctcprotocolprotocol-servlet/
Trust: 1.6
url:https://erpscan.com/advisories/erpscan-17-017-sap-netweaver-java-7-3-java-xss-ctcprotocolprotocol-servlet/
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11458
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-11458
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
url:https://service.sap.com/sap/support/notes/2406783
Trust: 0.3
url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/
Trust: 0.3
sources:
            
            
            BID: 97566 // 
            
            
            
            JVNDB: JVNDB-2017-006731 // 
            
            
            
            CNNVD: CNNVD-201707-871 // 
            
            
            
            NVD: CVE-2017-11458

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 97566

SOURCES
db:BIDid:97566
db:JVNDBid:JVNDB-2017-006731
db:CNNVDid:CNNVD-201707-871
db:NVDid:CVE-2017-11458

LAST UPDATE DATE
2024-11-23T22:38:28.634000+00:00

SOURCES UPDATE DATE
db:BIDid:97566date:2017-08-25T13:11:00
db:JVNDBid:JVNDB-2017-006731date:2017-09-01T00:00:00
db:CNNVDid:CNNVD-201707-871date:2021-04-22T00:00:00
db:NVDid:CVE-2017-11458date:2024-11-21T03:07:49.420

SOURCES RELEASE DATE
db:BIDid:97566date:2017-04-11T00:00:00
db:JVNDBid:JVNDB-2017-006731date:2017-09-01T00:00:00
db:CNNVDid:CNNVD-201707-871date:2017-07-20T00:00:00
db:NVDid:CVE-2017-11458date:2017-07-25T18:29:01.133