Cross-Site Scripting Vulnerability in SAP NetWeaver AS JAVA 7.3
CVE-2017-11458

6.1MEDIUM

Key Information:

Vendor: SAP
Status: Netweaver Application Server Java
Vendor: CVE Published:; 25 July 2017

Summary

A cross-site scripting vulnerability exists in the ctcprotocol/Protocol servlet of SAP NetWeaver AS JAVA 7.3. This flaw allows remote attackers to inject arbitrary web scripts or HTML into web pages viewed by users. The injected content can potentially manipulate the user’s session or facilitate other malicious activities through exploitation of the vulnerable sessionID parameter. Organizations using this version of SAP NetWeaver AS JAVA should take immediate action to mitigate the risk and protect their systems.

References

https://erpscan.io/advisories/erpscan-17-017-sap-netweave...

x_refsource_MISC

http://www.securityfocus.com/bid/97566

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 25, 2017
Vulnerability Reserved
Jul 19, 2017