Sign-up

ID

VAR-201906-1085


CVE

CVE-2019-0316


TITLE

SAP NetWeaver Process Integration Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-005568

DESCRIPTION

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability. SAP NetWeaver Process Integration Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2019-0316 // JVNDB: JVNDB-2019-005568 // BID: 108705

AFFECTED PRODUCTS

vendor:sapmodel:netweaver process integrationscope:eqversion:7.50

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.40

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.31

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.30

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.11

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.10

Trust: 1.3

vendor:sapmodel:netweaver process integrationscope:eqversion:7.20

Trust: 1.0

vendor:sapmodel:netweaver process integrationscope: - version: -

Trust: 0.8

sources: BID: 108705 // JVNDB: JVNDB-2019-005568 // NVD: CVE-2019-0316

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-0316
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-0316
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201906-497
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-0316
severity: LOW
baseScore: 3.5
vectorString: AV:N/AC:M/AU:S/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2019-0316
baseSeverity: MEDIUM
baseScore: 4.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 1.7
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2019-005568 // CNNVD: CNNVD-201906-497 // NVD: CVE-2019-0316

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-005568 // NVD: CVE-2019-0316

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201906-497

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201906-497

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-005568

PATCH
title:SAP Security Patch Day - June 2019url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
Trust: 0.8
title:SAP NetWeaver Process Integration Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=93732
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-005568 // 
            
            
            
            CNNVD: CNNVD-201906-497

EXTERNAL IDS
db:NVDid:CVE-2019-0316
Trust: 2.7
db:BIDid:108705
Trust: 0.9
db:JVNDBid:JVNDB-2019-005568
Trust: 0.8
db:CNNVDid:CNNVD-201906-497
Trust: 0.6
sources:
            
            
            BID: 108705 // 
            
            
            
            JVNDB: JVNDB-2019-005568 // 
            
            
            
            CNNVD: CNNVD-201906-497 // 
            
            
            
            NVD: CVE-2019-0316

REFERENCES
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=521864242
Trust: 1.9
url:https://launchpad.support.sap.com/#/notes/2745917
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-0316
Trust: 1.4
url:http://www.sap.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0316
Trust: 0.8
url:https://www.securityfocus.com/bid/108705
Trust: 0.6
sources:
            
            
            BID: 108705 // 
            
            
            
            JVNDB: JVNDB-2019-005568 // 
            
            
            
            CNNVD: CNNVD-201906-497 // 
            
            
            
            NVD: CVE-2019-0316

CREDITS
SAP
Trust: 0.9
sources:
            
            
            BID: 108705 // 
            
            
            
            CNNVD: CNNVD-201906-497

SOURCES
db:BIDid:108705
db:JVNDBid:JVNDB-2019-005568
db:CNNVDid:CNNVD-201906-497
db:NVDid:CVE-2019-0316

LAST UPDATE DATE
2024-08-14T13:55:19.278000+00:00

SOURCES UPDATE DATE
db:BIDid:108705date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005568date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201906-497date:2020-02-12T00:00:00
db:NVDid:CVE-2019-0316date:2020-02-10T21:48:48.353

SOURCES RELEASE DATE
db:BIDid:108705date:2019-06-11T00:00:00
db:JVNDBid:JVNDB-2019-005568date:2019-06-24T00:00:00
db:CNNVDid:CNNVD-201906-497date:2019-06-11T00:00:00
db:NVDid:CVE-2019-0316date:2019-06-14T19:29:00.340