var-200901-0456
Vulnerability from variot
Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. SAP NetWeaver and Web Dynpro Java are prone to a cross-site scripting vulnerability because the applications fail to sufficiently sanitize user-supplied input. A successful exploit of this vulnerability could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible. This issue is associated with SAP notification number 1235253. #############################################################
COMPASS SECURITY ADVISORY
http://www.csnc.ch/en/downloads/advisories.html
Product: NetWeaver/Web DynPro
Vendor: SAP (www.sap.com)
CVD ID: CVE-2008-3358
Subject: Cross-Site Scripting Vulnerability
Risk: High
Effect: Remotely exploitable
Author: Martin Suess martin.suess@csnc.ch
Date: January 27th 2009
Introduction:
The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email. This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site.
Affected:
- All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253]
Description:
A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example:
HTTP/1.1 200 OK
Date: Fri, 18 Jul 2008 13:13:30 GMT
Server:
The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain).
SAP Information Policy:
The information is available to registered SAP clients only (SAP Security Notes).
Patches:
Apply the latest SAP security patches for Netweaver.
Timeline:
Vendor Status: Patch released Vendor Notified: July 21st 2008 Vendor Response: July 28th 2008 Patch available: October 2008 Advisory Release: January 27th 2009
References:
- SAP Notification 1235253 (problem and patches) . ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list?
Click here to learn more: http://secunia.com/advisories/business_solutions/
TITLE: SAP NetWeaver Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID: SA33685
VERIFY ADVISORY: http://secunia.com/advisories/33685/
CRITICAL: Less critical
IMPACT: Cross Site Scripting
WHERE:
From remote
SOFTWARE: SAP NetWeaver 4.x http://secunia.com/advisories/product/9490/
DESCRIPTION: A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation may require that the victim uses a browser which executes JavaScript statements in documents of the content type "text/plain" (e.g. Internet Explorer).
SOLUTION: The vendor has reportedly issued a patch via SAP Note 1235253. http://service.sap.com/sap/support/notes/1235253
PROVIDED AND/OR DISCOVERED BY: Martin Suess, Compass Security
ORIGINAL ADVISORY: SAP: http://service.sap.com/sap/support/notes/1235253
Compass Security: http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Show details on source website
{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200901-0456",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": null,
"trust": 1.4,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 1.0,
"vendor": "sap",
"version": "*"
},
{
"model": "netweaver application server sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40104329.313"
},
{
"model": "netweaver application server sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40104329.313"
},
{
"model": "netweaver nw04s sp9",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver portal sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "netweaver application server sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "6.40"
},
{
"model": "netweaver nw04 sp17",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04 sp15",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver portal",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004.."
},
{
"model": "netweaver sp15",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver nw04s sp10",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver sp20",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "640"
},
{
"model": "netweaver nw04s sp8",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04s sp11",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver developer studio sp21",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "netweaver nw04s sp7",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "web dynpro runtime core components sp12",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "700"
},
{
"model": "netweaver nw04 sp18",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver nw04 sp19",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver sp8",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "7.0"
},
{
"model": "netweaver nw04 sp16",
"scope": null,
"trust": 0.3,
"vendor": "sap",
"version": null
},
{
"model": "netweaver portal sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "2004"
},
{
"model": "netweaver developer studio sp17",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "-2004"
}
],
"sources": [
{
"db": "BID",
"id": "33465"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sap:netweaver:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:microsoft:internet_explorer:7.0.5730:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2008-3358"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Martin Suess",
"sources": [
{
"db": "BID",
"id": "33465"
},
{
"db": "PACKETSTORM",
"id": "74357"
}
],
"trust": 0.4
},
"cve": "CVE-2008-3358",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2008-3358",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2008-3358",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-200901-384",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. SAP NetWeaver and Web Dynpro Java are prone to a cross-site scripting vulnerability because the applications fail to sufficiently sanitize user-supplied input. \nA successful exploit of this vulnerability could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible. \nThis issue is associated with SAP notification number 1235253. #############################################################\n#\n# COMPASS SECURITY ADVISORY\n# http://www.csnc.ch/en/downloads/advisories.html\n#\n#############################################################\n#\n# Product: NetWeaver/Web DynPro\n# Vendor: SAP (www.sap.com)\n# CVD ID: CVE-2008-3358\n# Subject: Cross-Site Scripting Vulnerability\n# Risk: High\n# Effect: Remotely exploitable\n# Author: Martin Suess \u003cmartin.suess@csnc.ch\u003e\n# Date: January 27th 2009\n#\n#############################################################\n\nIntroduction:\n-------------\nThe vulnerability found targets the SAP NetWeaver portal. It is\npossible to execute JavaScript code in the browser of a valid user\nwhen clicking on a specially crafted URL which can be sent to the\nuser by email. \nThis vulnerability can be used to steal the user\u0027s session cookie or\nredirect him to a phishing website which shows the (faked) login\nscreen and gets his logon credentials as soon as he tries to log in\non the faked site. \n\nAffected:\n---------\n- All tested versions that are vulnerable\n\tSAP NetWeaver/Web DynPro\n\t[for detailed Information, see SAP Notification 1235253]\n\nDescription:\n------------\nA specially crafted URL in SAP NetWeaver allows an attacker to\nlaunch a Cross-Site Scripting attack. The resulting page contains\nonly the unfiltered value of the vulnerable parameter. It is possible\nto create an URL which causes the resulting page to contain malicious\nJavaScript code. A response to such a request could look like the\nfollowing example:\n\nHTTP/1.1 200 OK\nDate: Fri, 18 Jul 2008 13:13:30 GMT\nServer: \u003cserver\u003e\ncontent-type: text/plain\nContent-Length: 67\nKeep-Alive: timeout=10, max=500\nConnection: Keep-Alive\n\n\u003chtml\u003e\u003ctitle\u003etest\u003c/title\u003e\u003cbody onload=\"alert(document.cookie)\"\u003e\n\u003c/body\u003e\u003c/html\u003e\n\nThe code only gets executed in Microsoft Internet Explorer (tested\nwith version 7.0.5730 only). In Firefox (tested with version 3.0\nonly) it did not get executed as the content-type header of the\nserver response is interpreted more strictly (text/plain). \n\nSAP Information Policy:\n-----------------------\nThe information is available to registered SAP clients only (SAP\nSecurity Notes). \n\nPatches:\n--------\nApply the latest SAP security patches for Netweaver. \n\nTimeline:\n---------\nVendor Status:\t\tPatch released\nVendor Notified:\tJuly 21st 2008\nVendor Response:\tJuly 28th 2008\nPatch available:\tOctober 2008\nAdvisory Release:\tJanuary 27th 2009\n\nReferences:\n-----------\n- SAP Notification 1235253 (problem and patches)\n. ----------------------------------------------------------------------\n\nDid you know that a change in our assessment rating, exploit code\navailability, or if an updated patch is released by the vendor, is\nnot part of this mailing-list?\n\nClick here to learn more:\nhttp://secunia.com/advisories/business_solutions/\n\n----------------------------------------------------------------------\n\nTITLE:\nSAP NetWeaver Cross-Site Scripting Vulnerability\n\nSECUNIA ADVISORY ID:\nSA33685\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/33685/\n\nCRITICAL:\nLess critical\n\nIMPACT:\nCross Site Scripting\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nSAP NetWeaver 4.x\nhttp://secunia.com/advisories/product/9490/\n\nDESCRIPTION:\nA vulnerability has been reported in SAP NetWeaver, which can be\nexploited by malicious people to conduct cross-site scripting\nattacks. \n\nInput passed via the URL is not properly sanitised before being\nreturned to the user. This can be exploited to execute arbitrary HTML\nand script code in a user\u0027s browser session in context of an affected\nsite. \n\nSuccessful exploitation may require that the victim uses a browser\nwhich executes JavaScript statements in documents of the content type\n\"text/plain\" (e.g. Internet Explorer). \n\nSOLUTION:\nThe vendor has reportedly issued a patch via SAP Note 1235253. \nhttp://service.sap.com/sap/support/notes/1235253\n\nPROVIDED AND/OR DISCOVERED BY:\nMartin Suess, Compass Security\n\nORIGINAL ADVISORY:\nSAP:\nhttp://service.sap.com/sap/support/notes/1235253\n\nCompass Security:\nhttp://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "BID",
"id": "33465"
},
{
"db": "PACKETSTORM",
"id": "74357"
},
{
"db": "PACKETSTORM",
"id": "74348"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-3358",
"trust": 2.9
},
{
"db": "BID",
"id": "33465",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "33685",
"trust": 1.8
},
{
"db": "OSVDB",
"id": "51627",
"trust": 1.6
},
{
"db": "VUPEN",
"id": "ADV-2009-0255",
"trust": 1.6
},
{
"db": "SECTRACK",
"id": "1021638",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639",
"trust": 0.8
},
{
"db": "BUGTRAQ",
"id": "20090127 SAP NETWEAVER XSS VULNERABILITY",
"trust": 0.6
},
{
"db": "XF",
"id": "48237",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "74357",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "74348",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "33465"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "PACKETSTORM",
"id": "74357"
},
{
"db": "PACKETSTORM",
"id": "74348"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"id": "VAR-200901-0456",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.49319461333333336
},
"last_update_date": "2023-12-18T13:30:22.520000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://websmp206.sap-ag.de/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.csnc.ch/misc/files/advisories/cve-2008-3358.txt"
},
{
"trust": 1.7,
"url": "http://service.sap.com/sap/support/notes/1235253"
},
{
"trust": 1.6,
"url": "http://osvdb.org/51627"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/33685"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/33465"
},
{
"trust": 1.6,
"url": "http://www.securitytracker.com/id?1021638"
},
{
"trust": 1.0,
"url": "http://www.securityfocus.com/archive/1/500415/100/0/threaded"
},
{
"trust": 1.0,
"url": "http://www.vupen.com/english/advisories/2009/0255"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48237"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3358"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3358"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/48237"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/500415/100/0/threaded"
},
{
"trust": 0.6,
"url": "http://www.frsirt.com/english/advisories/2009/0255"
},
{
"trust": 0.3,
"url": "http://www.sap.com/platform/netweaver/index.epx"
},
{
"trust": 0.3,
"url": "https://www.sdn.sap.com/irj/sdn/webdynpro"
},
{
"trust": 0.3,
"url": "/archive/1/500415"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-3358"
},
{
"trust": 0.1,
"url": "https://www.sap.com)"
},
{
"trust": 0.1,
"url": "http://www.csnc.ch/en/downloads/advisories.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/secunia_security_advisories/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/product/9490/"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/business_solutions/"
},
{
"trust": 0.1,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/33685/"
}
],
"sources": [
{
"db": "BID",
"id": "33465"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "PACKETSTORM",
"id": "74357"
},
{
"db": "PACKETSTORM",
"id": "74348"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "33465"
},
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"db": "PACKETSTORM",
"id": "74357"
},
{
"db": "PACKETSTORM",
"id": "74348"
},
{
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-01-27T00:00:00",
"db": "BID",
"id": "33465"
},
{
"date": "2009-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"date": "2009-01-27T23:35:23",
"db": "PACKETSTORM",
"id": "74357"
},
{
"date": "2009-01-27T15:25:01",
"db": "PACKETSTORM",
"id": "74348"
},
{
"date": "2009-01-28T18:30:00.170000",
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"date": "2009-01-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2009-01-27T20:39:00",
"db": "BID",
"id": "33465"
},
{
"date": "2009-07-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2009-001639"
},
{
"date": "2018-10-11T20:48:04.660000",
"db": "NVD",
"id": "CVE-2008-3358"
},
{
"date": "2009-02-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver Portal Web Dynpro (WD) Vulnerable to cross-site scripting",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2009-001639"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "74357"
},
{
"db": "PACKETSTORM",
"id": "74348"
},
{
"db": "CNNVD",
"id": "CNNVD-200901-384"
}
],
"trust": 0.8
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.