Sign-up

ID

VAR-201907-1476


CVE

CVE-2019-0321


TITLE

ABAP Server and Platform Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2019-006600

DESCRIPTION

ABAP Server and ABAP Platform (SAP Basis), versions, 7.31, 7.4, 7.5, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2019-0321 // JVNDB: JVNDB-2019-006600 // BID: 109078

AFFECTED PRODUCTS

vendor:sapmodel:netweaver as abapscope:eqversion:7.5

Trust: 1.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.4

Trust: 1.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.31

Trust: 1.3

vendor:sapmodel:netweaver abapscope:eqversion:7.31

Trust: 0.8

vendor:sapmodel:netweaver abapscope:eqversion:7.4

Trust: 0.8

vendor:sapmodel:netweaver abapscope:eqversion:7.5

Trust: 0.8

sources: BID: 109078 // JVNDB: JVNDB-2019-006600 // NVD: CVE-2019-0321

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2019-0321
value: MEDIUM

Trust: 1.8

CNNVD: CNNVD-201907-465
value: MEDIUM

Trust: 0.6

NVD: CVE-2019-0321
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2019-0321
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2019-006600 // CNNVD: CNNVD-201907-465 // NVD: CVE-2019-0321

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2019-006600 // NVD: CVE-2019-0321

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201907-465

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201907-465

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2019-0321

PATCH
title:SAP Security Patch Day - July 2019url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=523994575
Trust: 0.8
title:SAP ABAP Server and ABAP Platform Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=94604
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-006600 // 
            
            
            
            CNNVD: CNNVD-201907-465

EXTERNAL IDS
db:NVDid:CVE-2019-0321
Trust: 2.7
db:BIDid:109078
Trust: 1.9
db:JVNDBid:JVNDB-2019-006600
Trust: 0.8
db:CNNVDid:CNNVD-201907-465
Trust: 0.6
sources:
            
            
            BID: 109078 // 
            
            
            
            JVNDB: JVNDB-2019-006600 // 
            
            
            
            CNNVD: CNNVD-201907-465 // 
            
            
            
            NVD: CVE-2019-0321

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2773888
Trust: 1.9
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=523994575
Trust: 1.9
url:https://www.securityfocus.com/bid/109078
Trust: 1.6
url:https://nvd.nist.gov/vuln/detail/cve-2019-0321
Trust: 1.4
url:http://www.sap.com
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0321
Trust: 0.8
sources:
            
            
            BID: 109078 // 
            
            
            
            JVNDB: JVNDB-2019-006600 // 
            
            
            
            CNNVD: CNNVD-201907-465 // 
            
            
            
            NVD: CVE-2019-0321

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 109078

SOURCES
db:BIDid:109078
db:JVNDBid:JVNDB-2019-006600
db:CNNVDid:CNNVD-201907-465
db:NVDid:CVE-2019-0321

LAST UPDATE DATE
2022-05-04T10:03:56.365000+00:00

SOURCES UPDATE DATE
db:BIDid:109078date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2019-006600date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201907-465date:2019-07-22T00:00:00
db:NVDid:CVE-2019-0321date:2019-07-19T12:42:00

SOURCES RELEASE DATE
db:BIDid:109078date:2019-07-09T00:00:00
db:JVNDBid:JVNDB-2019-006600date:2019-07-24T00:00:00
db:CNNVDid:CNNVD-201907-465date:2019-07-09T00:00:00
db:NVDid:CVE-2019-0321date:2019-07-10T19:15:00