Cross-Site Scripting Vulnerability in SAP NetWeaver Java Application Server
CVE-2019-0275

5.4MEDIUM

Key Information:

Vendor
SAP
Status
SAP Netweaver Java Application Server (j2ee-apps)
Vendor
CVE Published:
12 March 2019

Summary

The SAML 1.1 SSO Demo Application in SAP NetWeaver Java Application Server is vulnerable due to insufficient encoding of user-controlled inputs. This weakness can potentially be exploited to execute arbitrary scripts in the context of the user’s session, leading to unauthorized actions and leakage of sensitive information. Organizations using affected versions should take proactive measures to mitigate this risk by applying appropriate controls and patches.

Affected Version(s)

SAP NetWeaver Java Application Server (J2EE-APPS) < 7.10 to 7.11 < 7.10 to 7.11

SAP NetWeaver Java Application Server (J2EE-APPS) < 7.20 < 7.20

SAP NetWeaver Java Application Server (J2EE-APPS) < 7.30 < 7.30

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2689925
x_refsource_MISC
http://www.securityfocus.com/bid/107362
vdb-entryx_refsource_BID

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.