cvelistv5 - CVE-2007-3496

CVE-2007-3496 (GCVE-0-2007-3496)

Vulnerability from cvelistv5 – Published: 2007-06-29 18:00 – Updated: 2024-08-07 14:21

Summary

Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.csnc.ch/advisory/sap01.html	x_refsource_MISC
	http://securityreason.com/securityalert/2850	third-party-advisoryx_refsource_SREASON
	http://www.securityfocus.com/archive/1/472341/100…	mailing-listx_refsource_BUGTRAQ
	http://secunia.com/advisories/25866	third-party-advisoryx_refsource_SECUNIA
	http://www.vupen.com/english/advisories/2007/2381	vdb-entryx_refsource_VUPEN
	http://osvdb.org/37748	vdb-entryx_refsource_OSVDB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T14:21:36.170Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.csnc.ch/advisory/sap01.html"
          },
          {
            "name": "2850",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/2850"
          },
          {
            "name": "20070627 SAP Web Dynpro Java (BC-WD-JAV) Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
          },
          {
            "name": "25866",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/25866"
          },
          {
            "name": "ADV-2007-2381",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/2381"
          },
          {
            "name": "37748",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/37748"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-06-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-16T14:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.csnc.ch/advisory/sap01.html"
        },
        {
          "name": "2850",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/2850"
        },
        {
          "name": "20070627 SAP Web Dynpro Java (BC-WD-JAV) Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
        },
        {
          "name": "25866",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/25866"
        },
        {
          "name": "ADV-2007-2381",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/2381"
        },
        {
          "name": "37748",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/37748"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-3496",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.csnc.ch/advisory/sap01.html",
              "refsource": "MISC",
              "url": "http://www.csnc.ch/advisory/sap01.html"
            },
            {
              "name": "2850",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/2850"
            },
            {
              "name": "20070627 SAP Web Dynpro Java (BC-WD-JAV) Vulnerability",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
            },
            {
              "name": "25866",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/25866"
            },
            {
              "name": "ADV-2007-2381",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2007/2381"
            },
            {
              "name": "37748",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/37748"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-3496",
    "datePublished": "2007-06-29T18:00:00",
    "dateReserved": "2007-06-29T00:00:00",
    "dateUpdated": "2024-08-07T14:21:36.170Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04:sp15:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C9C46819-0988-44E7-9044-F7065DD84A6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04:sp16:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F5282330-5991-46EA-ACEF-72B6AB76B547\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04:sp17:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"761E7AAE-17A9-4E16-8CB4-5C7BFCAFAD39\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04:sp18:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"27BA15F8-5D3C-43E6-9110-50EC8980AAD0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04:sp19:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B6D16CA-1FC4-41E3-B6CA-49B1166D9831\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04s:sp7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"87F7D73C-34F9-44D7-A650-AAD8384C095D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04s:sp8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F41F99DD-6170-4909-987F-1EDA6610DC75\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04s:sp9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AA366FFE-64AE-4330-8F87-26B258DE360B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04s:sp10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9F1E7843-FDBB-4145-B7F2-82F3BF1751EA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_nw04s:sp11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"232AFD96-D76E-4B26-9EF3-A0E458FDCBF7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis_component_640:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"sp19\", \"matchCriteriaId\": \"6AEEB988-54CE-4E13-AA3B-7C1C73732777\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:sap_basis_component_700:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"sp11\", \"matchCriteriaId\": \"FE706CA3-FA62-4706-96E4-5FE0278A3ED3\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en SAP Web Dynpro Java (BC-WD-JAV) en SAP NetWeaver Nw04 SP15 hasta SP19 y Nw04s SP7 hasta SP11, tambi\\u00e9n conocido como SAP Java TEchnology Services 640 anterior a SP20 y SAP Web Dynpro Runtime Core Components 700 anterior a SP12, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\\u00f3n a trav\\u00e9s de la cabecera HTTP User-Agent.\"}]",
      "id": "CVE-2007-3496",
      "lastModified": "2024-11-21T00:33:23.207",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2007-06-29T18:30:00.000",
      "references": "[{\"url\": \"http://osvdb.org/37748\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/25866\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://securityreason.com/securityalert/2850\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.csnc.ch/advisory/sap01.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/472341/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.vupen.com/english/advisories/2007/2381\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://osvdb.org/37748\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/25866\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://securityreason.com/securityalert/2850\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.csnc.ch/advisory/sap01.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/archive/1/472341/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vupen.com/english/advisories/2007/2381\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2007-3496\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2007-06-29T18:30:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en SAP Web Dynpro Java (BC-WD-JAV) en SAP NetWeaver Nw04 SP15 hasta SP19 y Nw04s SP7 hasta SP11, tambi\u00e9n conocido como SAP Java TEchnology Services 640 anterior a SP20 y SAP Web Dynpro Runtime Core Components 700 anterior a SP12, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de la cabecera HTTP User-Agent.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04:sp15:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9C46819-0988-44E7-9044-F7065DD84A6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04:sp16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5282330-5991-46EA-ACEF-72B6AB76B547\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04:sp17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"761E7AAE-17A9-4E16-8CB4-5C7BFCAFAD39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04:sp18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"27BA15F8-5D3C-43E6-9110-50EC8980AAD0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04:sp19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B6D16CA-1FC4-41E3-B6CA-49B1166D9831\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04s:sp7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"87F7D73C-34F9-44D7-A650-AAD8384C095D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04s:sp8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F41F99DD-6170-4909-987F-1EDA6610DC75\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04s:sp9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA366FFE-64AE-4330-8F87-26B258DE360B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04s:sp10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F1E7843-FDBB-4145-B7F2-82F3BF1751EA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_nw04s:sp11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"232AFD96-D76E-4B26-9EF3-A0E458FDCBF7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis_component_640:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"sp19\",\"matchCriteriaId\":\"6AEEB988-54CE-4E13-AA3B-7C1C73732777\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:sap_basis_component_700:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"sp11\",\"matchCriteriaId\":\"FE706CA3-FA62-4706-96E4-5FE0278A3ED3\"}]}]}],\"references\":[{\"url\":\"http://osvdb.org/37748\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/25866\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityreason.com/securityalert/2850\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.csnc.ch/advisory/sap01.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/472341/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/2381\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://osvdb.org/37748\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/25866\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/2850\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.csnc.ch/advisory/sap01.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/472341/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/2381\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

FKIE_CVE-2007-3496

Vulnerability from fkie_nvd - Published: 2007-06-29 18:30 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

	URL	Tags
	cve@mitre.org	http://osvdb.org/37748
	cve@mitre.org	http://secunia.com/advisories/25866
	cve@mitre.org	http://securityreason.com/securityalert/2850
	cve@mitre.org	http://www.csnc.ch/advisory/sap01.html
	cve@mitre.org	http://www.securityfocus.com/archive/1/472341/100/0/threaded
	cve@mitre.org	http://www.vupen.com/english/advisories/2007/2381
	af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/37748
	af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/25866
	af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/2850
	af854a3a-2127-422b-91ae-364da2661108	http://www.csnc.ch/advisory/sap01.html
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/472341/100/0/threaded
	af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/2381

Impacted products

Vendor	Product	Version
sap	netweaver_nw04	sp15
sap	netweaver_nw04	sp16
sap	netweaver_nw04	sp17
sap	netweaver_nw04	sp18
sap	netweaver_nw04	sp19
sap	netweaver_nw04s	sp7
sap	netweaver_nw04s	sp8
sap	netweaver_nw04s	sp9
sap	netweaver_nw04s	sp10
sap	netweaver_nw04s	sp11
sap	sap_basis_component_640	*
sap	sap_basis_component_700	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04:sp15:*:*:*:*:*:*:*",
              "matchCriteriaId": "C9C46819-0988-44E7-9044-F7065DD84A6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04:sp16:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5282330-5991-46EA-ACEF-72B6AB76B547",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04:sp17:*:*:*:*:*:*:*",
              "matchCriteriaId": "761E7AAE-17A9-4E16-8CB4-5C7BFCAFAD39",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04:sp18:*:*:*:*:*:*:*",
              "matchCriteriaId": "27BA15F8-5D3C-43E6-9110-50EC8980AAD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04:sp19:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B6D16CA-1FC4-41E3-B6CA-49B1166D9831",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04s:sp7:*:*:*:*:*:*:*",
              "matchCriteriaId": "87F7D73C-34F9-44D7-A650-AAD8384C095D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04s:sp8:*:*:*:*:*:*:*",
              "matchCriteriaId": "F41F99DD-6170-4909-987F-1EDA6610DC75",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04s:sp9:*:*:*:*:*:*:*",
              "matchCriteriaId": "AA366FFE-64AE-4330-8F87-26B258DE360B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04s:sp10:*:*:*:*:*:*:*",
              "matchCriteriaId": "9F1E7843-FDBB-4145-B7F2-82F3BF1751EA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_nw04s:sp11:*:*:*:*:*:*:*",
              "matchCriteriaId": "232AFD96-D76E-4B26-9EF3-A0E458FDCBF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis_component_640:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AEEB988-54CE-4E13-AA3B-7C1C73732777",
              "versionEndIncluding": "sp19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:sap_basis_component_700:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FE706CA3-FA62-4706-96E4-5FE0278A3ED3",
              "versionEndIncluding": "sp11",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en SAP Web Dynpro Java (BC-WD-JAV) en SAP NetWeaver Nw04 SP15 hasta SP19 y Nw04s SP7 hasta SP11, tambi\u00e9n conocido como SAP Java TEchnology Services 640 anterior a SP20 y SAP Web Dynpro Runtime Core Components 700 anterior a SP12, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s de la cabecera HTTP User-Agent."
    }
  ],
  "id": "CVE-2007-3496",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2007-06-29T18:30:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://osvdb.org/37748"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/25866"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securityreason.com/securityalert/2850"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.csnc.ch/advisory/sap01.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2007/2381"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/37748"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/25866"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/2850"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.csnc.ch/advisory/sap01.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2007/2381"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-WGF3-8PQX-JMQX

Vulnerability from github – Published: 2022-05-01 18:14 – Updated: 2022-05-01 18:14

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2007-3496"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-06-29T18:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.",
  "id": "GHSA-wgf3-8pqx-jmqx",
  "modified": "2022-05-01T18:14:24Z",
  "published": "2022-05-01T18:14:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-3496"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/37748"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25866"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/2850"
    },
    {
      "type": "WEB",
      "url": "http://www.csnc.ch/advisory/sap01.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/2381"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

CERTA-2007-AVI-288

Vulnerability from certfr_avis - Published: - Updated:

None

Description

De nombreuses vulnérabilités découvertes dans les produits SAP permettent à un utilisateur distant malintentionné de réaliser un déni de service, de porter atteinte à la confidentialité des données ou d'exécuter du code arbitraire.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Web Application Server 6.x ;
SAP	N/A	SAP NetWeaver 4.x ;
SAP	N/A	SAP RFC Library 7.x.
SAP	N/A	SAP RFC Library 6.x ;
SAP	N/A	SAP Internet Graphics Service (IGS) 7.x ;
SAP	N/A	SAP Internet Communication Framework ;
SAP	N/A	SAP Web Application Server 7.x ;
SAP	N/A	SAP Message Server ;
SAP	N/A	SAP Internet Graphics Service (IGS) 6.x ;
SAP	N/A	SAP R/3 ;
SAP	N/A	SAP DB 7.x ;

References

Title

Publication Time

Tags

Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CNSC du 17 juin 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CNSC du 17 juin 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Web Application Server 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver 4.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP RFC Library 7.x.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP RFC Library 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Graphics Service (IGS) 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Communication Framework ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Web Application Server 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Message Server ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Graphics Service (IGS) 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP R/3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP DB 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nDe nombreuses vuln\u00e9rabilit\u00e9s d\u00e9couvertes dans les produits SAP\npermettent \u00e0 un utilisateur distant malintentionn\u00e9 de r\u00e9aliser un d\u00e9ni\nde service, de porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es ou\nd\u0027ex\u00e9cuter du code arbitraire.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2007-1915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1915"
    },
    {
      "name": "CVE-2007-3496",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3496"
    },
    {
      "name": "CVE-2007-3495",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3495"
    },
    {
      "name": "CVE-2007-1917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1917"
    },
    {
      "name": "CVE-2007-1914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1914"
    },
    {
      "name": "CVE-2007-1916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1916"
    },
    {
      "name": "CVE-2007-1918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1918"
    }
  ],
  "links": [
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-sap-internet-graphics-server/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CNSC du 17 juin 2007 :",
      "url": "http://www.csnc.ch/advisory/sap01.html?__cookie_try=1"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_TRUSTED_SYSTEM_SECURITY_RFC_Function_Information_Disclosure.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-message-server-heap-overflow/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-db-web-server-stack-overflow/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CNSC du 17 juin 2007 :",
      "url": "http://www.csnc.ch/advisory/sap02.html?__cookie_try=1"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_SYSTEM_CREATE_INSTANCE_RFC_Function_Buffer_Overflow.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_GUI_RFC_Function_Buffer_Overflow.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-sap-internet-communication-manager-dos"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_SET_REG_SERVER_PROPERTIE_RFC_Function_Denial_of_Service.pdf"
    }
  ],
  "reference": "CERTA-2007-AVI-288",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-07-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": null,
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": []
}

CERTA-2007-AVI-288

Vulnerability from certfr_avis - Published: - Updated:

None

Description

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SAP	N/A	SAP Web Application Server 6.x ;
SAP	N/A	SAP NetWeaver 4.x ;
SAP	N/A	SAP RFC Library 7.x.
SAP	N/A	SAP RFC Library 6.x ;
SAP	N/A	SAP Internet Graphics Service (IGS) 7.x ;
SAP	N/A	SAP Internet Communication Framework ;
SAP	N/A	SAP Web Application Server 7.x ;
SAP	N/A	SAP Message Server ;
SAP	N/A	SAP Internet Graphics Service (IGS) 6.x ;
SAP	N/A	SAP R/3 ;
SAP	N/A	SAP DB 7.x ;

References

Title

Publication Time

Tags

Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CNSC du 17 juin 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CNSC du 17 juin 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité NGS Software du 05 juillet 2007 : /	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other
Bulletins de sécurité CYBSEC du 03 avril 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "SAP Web Application Server 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP NetWeaver 4.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP RFC Library 7.x.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP RFC Library 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Graphics Service (IGS) 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Communication Framework ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Web Application Server 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Message Server ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP Internet Graphics Service (IGS) 6.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP R/3 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "SAP DB 7.x ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nDe nombreuses vuln\u00e9rabilit\u00e9s d\u00e9couvertes dans les produits SAP\npermettent \u00e0 un utilisateur distant malintentionn\u00e9 de r\u00e9aliser un d\u00e9ni\nde service, de porter atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es ou\nd\u0027ex\u00e9cuter du code arbitraire.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2007-1915",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1915"
    },
    {
      "name": "CVE-2007-3496",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3496"
    },
    {
      "name": "CVE-2007-3495",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3495"
    },
    {
      "name": "CVE-2007-1917",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1917"
    },
    {
      "name": "CVE-2007-1914",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1914"
    },
    {
      "name": "CVE-2007-1916",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1916"
    },
    {
      "name": "CVE-2007-1918",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1918"
    }
  ],
  "links": [
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/medium-risk-vulnerability-in-sap-internet-graphics-server/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CNSC du 17 juin 2007 :",
      "url": "http://www.csnc.ch/advisory/sap01.html?__cookie_try=1"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_TRUSTED_SYSTEM_SECURITY_RFC_Function_Information_Disclosure.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-message-server-heap-overflow/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/critical-risk-vulnerability-in-sap-db-web-server-stack-overflow/"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CNSC du 17 juin 2007 :",
      "url": "http://www.csnc.ch/advisory/sap02.html?__cookie_try=1"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_SYSTEM_CREATE_INSTANCE_RFC_Function_Buffer_Overflow.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_GUI_RFC_Function_Buffer_Overflow.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 NGS Software du 05 juillet 2007 :      \n \n /",
      "url": "http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-sap-internet-communication-manager-dos"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_START_PROGRAM_RFC_Function_Multiple_Vulnerabilities.pdf"
    },
    {
      "title": "Bulletins de s\u00e9curit\u00e9 CYBSEC du 03 avril 2007 :",
      "url": "http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_SAP_RFC_SET_REG_SERVER_PROPERTIE_RFC_Function_Denial_of_Service.pdf"
    }
  ],
  "reference": "CERTA-2007-AVI-288",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-07-10T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": null,
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": []
}

GSD-2007-3496

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2007-3496

Aliases

CVE-2007-3496

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2007-3496",
    "description": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.",
    "id": "GSD-2007-3496"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2007-3496"
      ],
      "details": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.",
      "id": "GSD-2007-3496",
      "modified": "2023-12-13T01:21:41.638682Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2007-3496",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.csnc.ch/advisory/sap01.html",
            "refsource": "MISC",
            "url": "http://www.csnc.ch/advisory/sap01.html"
          },
          {
            "name": "2850",
            "refsource": "SREASON",
            "url": "http://securityreason.com/securityalert/2850"
          },
          {
            "name": "20070627 SAP Web Dynpro Java (BC-WD-JAV) Vulnerability",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
          },
          {
            "name": "25866",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/25866"
          },
          {
            "name": "ADV-2007-2381",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2007/2381"
          },
          {
            "name": "37748",
            "refsource": "OSVDB",
            "url": "http://osvdb.org/37748"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04:sp17:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04:sp18:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:sap_basis_component_640:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "sp19",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:sap_basis_component_700:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "sp11",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04s:sp11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04s:sp7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04:sp19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04s:sp10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04:sp15:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04:sp16:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04s:sp8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_nw04s:sp9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-3496"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-site scripting (XSS) vulnerability in SAP Web Dynpro Java (BC-WD-JAV) in SAP NetWeaver Nw04 SP15 through SP19 and Nw04s SP7 through SP11, aka SAP Java Technology Services 640 before SP20 and SAP Web Dynpro Runtime Core Components 700 before SP12, allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.csnc.ch/advisory/sap01.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.csnc.ch/advisory/sap01.html"
            },
            {
              "name": "25866",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/25866"
            },
            {
              "name": "2850",
              "refsource": "SREASON",
              "tags": [],
              "url": "http://securityreason.com/securityalert/2850"
            },
            {
              "name": "37748",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://osvdb.org/37748"
            },
            {
              "name": "ADV-2007-2381",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2007/2381"
            },
            {
              "name": "20070627 SAP Web Dynpro Java (BC-WD-JAV) Vulnerability",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/472341/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-16T16:50Z",
      "publishedDate": "2007-06-29T18:30Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2007-3496 (GCVE-0-2007-3496)

FKIE_CVE-2007-3496

GHSA-WGF3-8PQX-JMQX

CERTA-2007-AVI-288

Description

Solution

CERTA-2007-AVI-288

Description

Solution

GSD-2007-3496

Tags

Sightings

Nomenclature