cvelistv5 - cve-2019-0316

CVE-2019-0316 (GCVE-0-2019-0316)

Vulnerability from cvelistv5 – Published: 2019-06-14 18:50 – Updated: 2024-08-04 17:44

Summary

Severity ?

No CVSS data available.

CWE

Cross-Site Scripting

Assigner

sap

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.acti…	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/2745917	x_refsource_MISC

Impacted products

Vendor

Product

Version

SAP SE

SAP NetWeaver Process Integration(SAP_XIESR)

Affected: < 7.20

SAP SE

SAP NetWeaver Process Integration(SAP_XITOOL)

Affected: < 7.10 to 7.11
Affected: < 7.30
Affected: < 7.31
Affected: < 7.40
Affected: < 7.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T17:44:16.455Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://launchpad.support.sap.com/#/notes/2745917"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "SAP NetWeaver Process Integration(SAP_XIESR)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.20"
            }
          ]
        },
        {
          "product": "SAP NetWeaver Process Integration(SAP_XITOOL)",
          "vendor": "SAP SE",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.10 to 7.11"
            },
            {
              "status": "affected",
              "version": "\u003c 7.30"
            },
            {
              "status": "affected",
              "version": "\u003c 7.31"
            },
            {
              "status": "affected",
              "version": "\u003c 7.40"
            },
            {
              "status": "affected",
              "version": "\u003c 7.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-Site Scripting",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-06-14T18:50:55",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://launchpad.support.sap.com/#/notes/2745917"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2019-0316",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "SAP NetWeaver Process Integration(SAP_XIESR)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "7.20"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "SAP NetWeaver Process Integration(SAP_XITOOL)",
                      "version": {
                        "version_data": [
                          {
                            "version_name": "\u003c",
                            "version_value": "7.10 to 7.11"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.30"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.31"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.40"
                          },
                          {
                            "version_name": "\u003c",
                            "version_value": "7.50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "SAP SE"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-Site Scripting"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242",
              "refsource": "MISC",
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/2745917",
              "refsource": "MISC",
              "url": "https://launchpad.support.sap.com/#/notes/2745917"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2019-0316",
    "datePublished": "2019-06-14T18:50:55",
    "dateReserved": "2018-11-26T00:00:00",
    "dateUpdated": "2024-08-04T17:44:16.455Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"75E83C25-D30B-4459-A1F1-DE7EC9FD46BE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"900D10B0-B47B-46B0-A0A9-8E41660429DD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D57CEB9D-5C06-4B3E-A36E-5B8689CA5657\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3062CE84-B6E2-40DE-B7B1-0752FC21BFAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"587D81FB-B2ED-4184-9258-A38A18B36DC5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A325699D-6AB0-4BBC-A21C-A974FA1612DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2A3A3226-28D1-4B43-942B-F41BD340E746\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.\"}, {\"lang\": \"es\", \"value\": \"SAP NetWeaver Process Integration, versiones: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50, no valida suficientemente las entradas controladas por el usuario, lo que permite a un atacante que posee privilegios de administrador leer y modificar datos del navegador de la v\\u00edctima , al inyectar scripts maliciosos en ciertos servlets, que se ejecutar\\u00e1n cuando se enga\\u00f1e a la v\\u00edctima para que haga clic en esos enlaces maliciosos, lo que da como resultado una vulnerabilidad de Cross Site Scripting reflejada.\"}]",
      "id": "CVE-2019-0316",
      "lastModified": "2024-11-21T04:16:40.460",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2019-06-14T19:29:00.340",
      "references": "[{\"url\": \"https://launchpad.support.sap.com/#/notes/2745917\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2745917\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cna@sap.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-0316\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2019-06-14T19:29:00.340\",\"lastModified\":\"2024-11-21T04:16:40.460\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.\"},{\"lang\":\"es\",\"value\":\"SAP NetWeaver Process Integration, versiones: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50, no valida suficientemente las entradas controladas por el usuario, lo que permite a un atacante que posee privilegios de administrador leer y modificar datos del navegador de la v\u00edctima , al inyectar scripts maliciosos en ciertos servlets, que se ejecutar\u00e1n cuando se enga\u00f1e a la v\u00edctima para que haga clic en esos enlaces maliciosos, lo que da como resultado una vulnerabilidad de Cross Site Scripting reflejada.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75E83C25-D30B-4459-A1F1-DE7EC9FD46BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"900D10B0-B47B-46B0-A0A9-8E41660429DD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D57CEB9D-5C06-4B3E-A36E-5B8689CA5657\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3062CE84-B6E2-40DE-B7B1-0752FC21BFAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"587D81FB-B2ED-4184-9258-A38A18B36DC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A325699D-6AB0-4BBC-A21C-A974FA1612DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2A3A3226-28D1-4B43-942B-F41BD340E746\"}]}]}],\"references\":[{\"url\":\"https://launchpad.support.sap.com/#/notes/2745917\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2745917\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

FKIE_CVE-2019-0316

Vulnerability from fkie_nvd - Published: 2019-06-14 19:29 - Updated: 2024-11-21 04:16

Severity ?

4.8 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cna@sap.com	https://launchpad.support.sap.com/#/notes/2745917	Permissions Required, Vendor Advisory
cna@sap.com	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://launchpad.support.sap.com/#/notes/2745917	Permissions Required, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242	Vendor Advisory

Impacted products

Vendor	Product	Version
sap	netweaver_process_integration	7.10
sap	netweaver_process_integration	7.11
sap	netweaver_process_integration	7.20
sap	netweaver_process_integration	7.30
sap	netweaver_process_integration	7.31
sap	netweaver_process_integration	7.40
sap	netweaver_process_integration	7.50

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "75E83C25-D30B-4459-A1F1-DE7EC9FD46BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "900D10B0-B47B-46B0-A0A9-8E41660429DD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "D57CEB9D-5C06-4B3E-A36E-5B8689CA5657",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "3062CE84-B6E2-40DE-B7B1-0752FC21BFAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "587D81FB-B2ED-4184-9258-A38A18B36DC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "A325699D-6AB0-4BBC-A21C-A974FA1612DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A3A3226-28D1-4B43-942B-F41BD340E746",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."
    },
    {
      "lang": "es",
      "value": "SAP NetWeaver Process Integration, versiones: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 a 7.11, 7.30, 7.31, 7.40, 7.50, no valida suficientemente las entradas controladas por el usuario, lo que permite a un atacante que posee privilegios de administrador leer y modificar datos del navegador de la v\u00edctima , al inyectar scripts maliciosos en ciertos servlets, que se ejecutar\u00e1n cuando se enga\u00f1e a la v\u00edctima para que haga clic en esos enlaces maliciosos, lo que da como resultado una vulnerabilidad de Cross Site Scripting reflejada."
    }
  ],
  "id": "CVE-2019-0316",
  "lastModified": "2024-11-21T04:16:40.460",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-14T19:29:00.340",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2745917"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Vendor Advisory"
      ],
      "url": "https://launchpad.support.sap.com/#/notes/2745917"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-201906-1085

Vulnerability from variot - Updated: 2023-12-18 13:13

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability. SAP NetWeaver Process Integration Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201906-1085",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.50"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.40"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.31"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.30"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.11"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "sap",
        "version": "7.10"
      },
      {
        "model": "netweaver process integration",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "sap",
        "version": "7.20"
      },
      {
        "model": "netweaver process integration",
        "scope": null,
        "trust": 0.8,
        "vendor": "sap",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "108705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP",
    "sources": [
      {
        "db": "BID",
        "id": "108705"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ],
    "trust": 0.9
  },
  "cve": "CVE-2019-0316",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": false,
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 6.8,
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "LOW",
            "trust": 1.0,
            "userInteractionRequired": true,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 3.5,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2019-0316",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Low",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 1.7,
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "None",
            "baseScore": 4.8,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "CVE-2019-0316",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "High",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2019-0316",
            "trust": 1.8,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201906-497",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability. SAP NetWeaver Process Integration Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. \nRemote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the  context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "BID",
        "id": "108705"
      }
    ],
    "trust": 1.89
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-0316",
        "trust": 2.7
      },
      {
        "db": "BID",
        "id": "108705",
        "trust": 0.9
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497",
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "108705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "id": "VAR-201906-1085",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.15555556
  },
  "last_update_date": "2023-12-18T13:13:23.273000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "SAP Security Patch Day - June 2019",
        "trust": 0.8,
        "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=521864242"
      },
      {
        "title": "SAP NetWeaver Process Integration Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=93732"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.9,
        "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=521864242"
      },
      {
        "trust": 1.6,
        "url": "https://launchpad.support.sap.com/#/notes/2745917"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0316"
      },
      {
        "trust": 0.9,
        "url": "http://www.sap.com"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0316"
      },
      {
        "trust": 0.6,
        "url": "https://www.securityfocus.com/bid/108705"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "108705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "108705"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-06-11T00:00:00",
        "db": "BID",
        "id": "108705"
      },
      {
        "date": "2019-06-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "date": "2019-06-14T19:29:00.340000",
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "date": "2019-06-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2019-06-11T00:00:00",
        "db": "BID",
        "id": "108705"
      },
      {
        "date": "2019-06-24T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      },
      {
        "date": "2020-02-10T21:48:48.353000",
        "db": "NVD",
        "id": "CVE-2019-0316"
      },
      {
        "date": "2020-02-12T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "SAP NetWeaver Process Integration Vulnerable to cross-site scripting",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-005568"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "XSS",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201906-497"
      }
    ],
    "trust": 0.6
  }
}

GSD-2019-0316

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2019-0316

Aliases

CVE-2019-0316

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-0316",
    "description": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.",
    "id": "GSD-2019-0316"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-0316"
      ],
      "details": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.",
      "id": "GSD-2019-0316",
      "modified": "2023-12-13T01:23:39.541832Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@sap.com",
        "ID": "CVE-2019-0316",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SAP NetWeaver Process Integration(SAP_XIESR)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "7.20"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "SAP NetWeaver Process Integration(SAP_XITOOL)",
                    "version": {
                      "version_data": [
                        {
                          "version_name": "\u003c",
                          "version_value": "7.10 to 7.11"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.30"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.31"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.40"
                        },
                        {
                          "version_name": "\u003c",
                          "version_value": "7.50"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SAP SE"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-Site Scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242",
            "refsource": "MISC",
            "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
          },
          {
            "name": "https://launchpad.support.sap.com/#/notes/2745917",
            "refsource": "MISC",
            "url": "https://launchpad.support.sap.com/#/notes/2745917"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.40:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sap:netweaver_process_integration:7.50:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@sap.com",
          "ID": "CVE-2019-0316"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim\u2019s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
            },
            {
              "name": "https://launchpad.support.sap.com/#/notes/2745917",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Vendor Advisory"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2745917"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 1.7,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2020-02-10T21:48Z",
      "publishedDate": "2019-06-14T19:29Z"
    }
  }
}

CNVD-2019-34746

Vulnerability from cnvd - Published: 2019-10-12

Title

SAP NetWeaver Process Integration跨站脚本漏洞（CNVD-2019-34746）

Description

SAP NetWeaver Process Integration（PI）是德国思爱普（SAP）公司的一套SAP企业应用程序集成软件，是NetWeaver产品组的一个组件。该组件主要用于内部系统与外部的信息交换。 SAP NetWeaver Process Integration中存在跨站脚本漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证，攻击者可利用该漏洞执行客户端代码。

Severity

中

Patch Name

SAP NetWeaver Process Integration跨站脚本漏洞（CNVD-2019-34746）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-0316

Impacted products

Name
['SAP NetWeaver Process Integration 7.10', 'SAP NetWeaver Process Integration 7.11', 'SAP NetWeaver Process Integration 7.30', 'SAP NetWeaver Process Integration 7.31', 'SAP NetWeaver Process Integration 7.40', 'SAP NetWeaver Process Integration 7.50']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108705"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-0316",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0316"
    }
  },
  "description": "SAP NetWeaver Process Integration\uff08PI\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957SAP\u4f01\u4e1a\u5e94\u7528\u7a0b\u5e8f\u96c6\u6210\u8f6f\u4ef6\uff0c\u662fNetWeaver\u4ea7\u54c1\u7ec4\u7684\u4e00\u4e2a\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u4e3b\u8981\u7528\u4e8e\u5185\u90e8\u7cfb\u7edf\u4e0e\u5916\u90e8\u7684\u4fe1\u606f\u4ea4\u6362\u3002\n\nSAP NetWeaver Process Integration\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "discovererName": "SAP",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-34746",
  "openTime": "2019-10-12",
  "patchDescription": "SAP NetWeaver Process Integration\uff08PI\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957SAP\u4f01\u4e1a\u5e94\u7528\u7a0b\u5e8f\u96c6\u6210\u8f6f\u4ef6\uff0c\u662fNetWeaver\u4ea7\u54c1\u7ec4\u7684\u4e00\u4e2a\u7ec4\u4ef6\u3002\u8be5\u7ec4\u4ef6\u4e3b\u8981\u7528\u4e8e\u5185\u90e8\u7cfb\u7edf\u4e0e\u5916\u90e8\u7684\u4fe1\u606f\u4ea4\u6362\u3002\r\n\r\nSAP NetWeaver Process Integration\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver Process Integration\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2019-34746\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP NetWeaver Process Integration 7.10",
      "SAP NetWeaver Process Integration 7.11",
      "SAP NetWeaver Process Integration 7.30",
      "SAP NetWeaver Process Integration 7.31",
      "SAP NetWeaver Process Integration 7.40",
      "SAP NetWeaver Process Integration 7.50"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-0316",
  "serverity": "\u4e2d",
  "submitTime": "2019-06-13",
  "title": "SAP NetWeaver Process Integration\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2019-34746\uff09"
}

GHSA-VF7W-FVMR-776R

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 00:58

Details

Severity ?

4.8 (Medium)


                  
                    CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-0316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-14T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim?s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.",
  "id": "GHSA-vf7w-fvmr-776r",
  "modified": "2024-04-04T00:58:07Z",
  "published": "2022-05-24T16:48:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0316"
    },
    {
      "type": "WEB",
      "url": "https://launchpad.support.sap.com/#/notes/2745917"
    },
    {
      "type": "WEB",
      "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-0316 (GCVE-0-2019-0316)

FKIE_CVE-2019-0316

VAR-201906-1085

GSD-2019-0316

CNVD-2019-34746

GHSA-VF7W-FVMR-776R

Tags

Sightings

Nomenclature