Sign-up

ID

VAR-201707-0533


CVE

CVE-2017-11460


TITLE

SAP NetWeaver Portal Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-006463

DESCRIPTION

Cross-site scripting (XSS) vulnerability in the DataArchivingService servlet in SAP NetWeaver Portal 7.4 allows remote attackers to inject arbitrary web script or HTML via the responsecode parameter to shp/shp_result.jsp, aka SAP Security Note 2308535. Vendors have confirmed this vulnerability SAP Security Note 2308535 It is released as.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.16

sources: NVD: CVE-2017-11460 // JVNDB: JVNDB-2017-006463 // BID: 97565 // BID: 101826

AFFECTED PRODUCTS

vendor:sapmodel:netweaver portalscope:eqversion:7.4

Trust: 1.6

vendor:sapmodel:netweaverscope:eqversion:portal 7.4

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.4

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: BID: 97565 // BID: 101826 // JVNDB: JVNDB-2017-006463 // CNNVD: CNNVD-201707-869 // NVD: CVE-2017-11460

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-11460
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-11460
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201707-869
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-11460
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-11460
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2017-006463 // CNNVD: CNNVD-201707-869 // NVD: CVE-2017-11460

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-006463 // NVD: CVE-2017-11460

THREAT TYPE

network

Trust: 0.6

sources: BID: 97565 // BID: 101826

TYPE

Input Validation Error

Trust: 0.6

sources: BID: 97565 // BID: 101826

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-006463

PATCH
title:April 2017 (2308535)url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/
Trust: 0.8
title:SAP NetWeaver Portal Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91646
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-006463 // 
            
            
            
            CNNVD: CNNVD-201707-869

EXTERNAL IDS
db:NVDid:CVE-2017-11460
Trust: 3.0
db:BIDid:101826
Trust: 1.9
db:BIDid:97565
Trust: 1.3
db:JVNDBid:JVNDB-2017-006463
Trust: 0.8
db:CNNVDid:CNNVD-201707-869
Trust: 0.6
sources:
            
            
            BID: 97565 // 
            
            
            
            BID: 101826 // 
            
            
            
            JVNDB: JVNDB-2017-006463 // 
            
            
            
            CNNVD: CNNVD-201707-869 // 
            
            
            
            NVD: CVE-2017-11460

REFERENCES
url:http://www.securityfocus.com/bid/101826
Trust: 1.6
url:http://www.sap.com
Trust: 1.2
url:https://erpscan.com/advisories/erpscan-17-016-sap-netweaver-java-7-4-dataarchivingservice-servlet-xss/
Trust: 1.1
url:https://erpscan.io/advisories/erpscan-17-016-sap-netweaver-java-7-4-dataarchivingservice-servlet-xss/
Trust: 1.0
url:http://www.securityfocus.com/bid/97565
Trust: 1.0
url:https://service.sap.com/sap/support/notes/2464582
Trust: 0.9
url:https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-11460
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-11460
Trust: 0.8
url:https://service.sap.com/sap/support/notes/2308535
Trust: 0.3
url:https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/
Trust: 0.3
sources:
            
            
            BID: 97565 // 
            
            
            
            BID: 101826 // 
            
            
            
            JVNDB: JVNDB-2017-006463 // 
            
            
            
            CNNVD: CNNVD-201707-869 // 
            
            
            
            NVD: CVE-2017-11460

CREDITS
The vendor reported this issue.
Trust: 1.2
sources:
            
            
            BID: 97565 // 
            
            
            
            BID: 101826 // 
            
            
            
            CNNVD: CNNVD-201707-869

SOURCES
db:BIDid:97565
db:BIDid:101826
db:JVNDBid:JVNDB-2017-006463
db:CNNVDid:CNNVD-201707-869
db:NVDid:CVE-2017-11460

LAST UPDATE DATE
2024-11-23T22:34:36.157000+00:00

SOURCES UPDATE DATE
db:BIDid:97565date:2017-07-26T17:08:00
db:BIDid:101826date:2019-04-12T22:00:00
db:JVNDBid:JVNDB-2017-006463date:2017-08-25T00:00:00
db:CNNVDid:CNNVD-201707-869date:2019-04-15T00:00:00
db:NVDid:CVE-2017-11460date:2024-11-21T03:07:49.700

SOURCES RELEASE DATE
db:BIDid:97565date:2017-04-11T00:00:00
db:BIDid:101826date:2017-11-14T00:00:00
db:JVNDBid:JVNDB-2017-006463date:2017-08-25T00:00:00
db:CNNVDid:CNNVD-201707-869date:2017-07-20T00:00:00
db:NVDid:CVE-2017-11460date:2017-07-25T18:29:01.197