Sign-up

ID

VAR-201709-0206


CVE

CVE-2017-10701


TITLE

SAP Enterprise Portal Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2017-008516

DESCRIPTION

Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 allows remote attackers to inject arbitrary web script or HTML, aka SAP Security Notes 2469860, 2471209, and 2488516. Vendors have confirmed this vulnerability SAP Security Note 2469860 , 2471209 , 2488516 It is released as.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. A remote user can conduct cross-site scripting attacks. The software does not properly filter HTML code from user-supplied input before displaying the input. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. *Impact:* A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SAP Enterprise Portal, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. *Link to remedies:* Web Dynpro Java - https://launchpad.support.sap.com/#/notes/2469860 SAPGUI for HTML- https://launchpad.support.sap.com/#/notes/2471209 Web Dynpro ABAP -https://launchpad.support.sap.com/#/notes/2488516 *Credits:* Imran Khan @Netizen01k reported this vulnerability

Trust: 2.79

sources: NVD: CVE-2017-10701 // JVNDB: JVNDB-2017-008516 // BID: 100786 // BID: 100788 // BID: 101068 // BID: 100805 // PACKETSTORM: 144391

AFFECTED PRODUCTS

vendor:sapmodel:enterprise portalscope:eqversion:7.50

Trust: 1.7

vendor:sapmodel:enterprise portalscope:lteversion:7.50

Trust: 1.0

vendor:sapmodel:web dynpro abapscope:eqversion:0

Trust: 0.3

vendor:sapmodel:guiscope:eqversion:0

Trust: 0.3

vendor:sapmodel:netweaverscope:eqversion:0

Trust: 0.3

sources: BID: 100786 // BID: 100788 // BID: 101068 // BID: 100805 // JVNDB: JVNDB-2017-008516 // CNNVD: CNNVD-201709-1309 // NVD: CVE-2017-10701

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-10701
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-10701
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201709-1309
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2017-10701
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2017-10701
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2017-008516 // CNNVD: CNNVD-201709-1309 // NVD: CVE-2017-10701

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2017-008516 // NVD: CVE-2017-10701

THREAT TYPE

network

Trust: 1.2

sources: BID: 100786 // BID: 100788 // BID: 101068 // BID: 100805

TYPE

Input Validation Error

Trust: 1.2

sources: BID: 100786 // BID: 100788 // BID: 101068 // BID: 100805

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-008516

PATCH
title:September 2017 (2469860、2471209、2488516)url:https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
Trust: 0.8
title:SAP Enterprise Portal Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75194
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2017-008516 // 
            
            
            
            CNNVD: CNNVD-201709-1309

EXTERNAL IDS
db:NVDid:CVE-2017-10701
Trust: 2.8
db:CXSECURITYid:WLB-2017090219
Trust: 2.4
db:BIDid:100786
Trust: 1.9
db:BIDid:100788
Trust: 1.9
db:BIDid:100805
Trust: 1.9
db:BIDid:101068
Trust: 1.3
db:JVNDBid:JVNDB-2017-008516
Trust: 0.8
db:CNNVDid:CNNVD-201709-1309
Trust: 0.6
db:PACKETSTORMid:144391
Trust: 0.1
sources:
            
            
            BID: 100786 // 
            
            
            
            BID: 100788 // 
            
            
            
            BID: 101068 // 
            
            
            
            BID: 100805 // 
            
            
            
            JVNDB: JVNDB-2017-008516 // 
            
            
            
            PACKETSTORM: 144391 // 
            
            
            
            CNNVD: CNNVD-201709-1309 // 
            
            
            
            NVD: CVE-2017-10701

REFERENCES
url:https://cxsecurity.com/issue/wlb-2017090219
Trust: 2.4
url:http://www.securityfocus.com/bid/100786
Trust: 1.6
url:http://www.securityfocus.com/bid/100788
Trust: 1.6
url:http://www.securityfocus.com/bid/100805
Trust: 1.6
url:http://www.sap.com
Trust: 1.2
url:http://www.securityfocus.com/bid/101068
Trust: 1.0
url:https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
Trust: 0.9
url:https://nvd.nist.gov/vuln/detail/cve-2017-10701
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10701
Trust: 0.8
url:https://launchpad.support.sap.com/#/notes/2488516
Trust: 0.4
url:https://launchpad.support.sap.com/#/notes/2471209
Trust: 0.4
url:https://launchpad.support.sap.com/#/notes/2469860
Trust: 0.4
url:https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/
Trust: 0.3
url:http://seclists.org/fulldisclosure/2017/sep/80
Trust: 0.3
sources:
            
            
            BID: 100786 // 
            
            
            
            BID: 100788 // 
            
            
            
            BID: 101068 // 
            
            
            
            BID: 100805 // 
            
            
            
            JVNDB: JVNDB-2017-008516 // 
            
            
            
            PACKETSTORM: 144391 // 
            
            
            
            CNNVD: CNNVD-201709-1309 // 
            
            
            
            NVD: CVE-2017-10701

CREDITS
The vendor reported this issue.
Trust: 0.9
sources:
            
            
            BID: 100786 // 
            
            
            
            BID: 100788 // 
            
            
            
            BID: 100805

SOURCES
db:BIDid:100786
db:BIDid:100788
db:BIDid:101068
db:BIDid:100805
db:JVNDBid:JVNDB-2017-008516
db:PACKETSTORMid:144391
db:CNNVDid:CNNVD-201709-1309
db:NVDid:CVE-2017-10701

LAST UPDATE DATE
2024-11-23T22:59:15.216000+00:00

SOURCES UPDATE DATE
db:BIDid:100786date:2017-09-12T00:00:00
db:BIDid:100788date:2017-12-19T22:37:00
db:BIDid:101068date:2017-09-27T00:00:00
db:BIDid:100805date:2017-09-12T00:00:00
db:JVNDBid:JVNDB-2017-008516date:2017-10-20T00:00:00
db:CNNVDid:CNNVD-201709-1309date:2017-10-09T00:00:00
db:NVDid:CVE-2017-10701date:2024-11-21T03:06:18.953

SOURCES RELEASE DATE
db:BIDid:100786date:2017-09-12T00:00:00
db:BIDid:100788date:2017-09-12T00:00:00
db:BIDid:101068date:2017-09-27T00:00:00
db:BIDid:100805date:2017-09-12T00:00:00
db:JVNDBid:JVNDB-2017-008516date:2017-10-20T00:00:00
db:PACKETSTORMid:144391date:2017-09-29T17:54:04
db:CNNVDid:CNNVD-201709-1309date:2017-09-28T00:00:00
db:NVDid:CVE-2017-10701date:2017-09-29T01:34:48.437