ERPScanERPSCAN-16-014SAP NetWeaver AS Java NavigationURLTester - XSS vulnerability
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
72.5%
Application: SAP NetWeaver **Versions Affected:**SAP NetWeaver 7.4 Vendor URL: SAP **Bugs:**XSS vulnerability **Reported:**20.10.2015 **Vendor response:**21.10.2015 **Date of Public Advisory:**08.03.2016 **Reference:**SAP Security Note 2238375 Author: Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: XSS
Impact: leakage of sensitive data
Remotely Exploitable: Yes
Locally Exploitable: No
CVE-2016-3975
CVSS Information
CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:
| AV : Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC : Attack Complexity (Required attack complexity) | Low (L) |
| PR : Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI : User Interaction (Required user participation) | Required ® |
| S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
| C : Impact to Confidentiality | Low (L) |
| I : Impact to Integrity | Low (L) |
| A : Impact to Availability | None (N) |
Description
Anonymous attacker can use a special HTTP request to hijack session data of administrators or users of a web resource.
Business risk
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a web page. Reflected XSS feature is the necessity of tricking a user from attackers’ side – they must make user follow a specially-crafted link.
Speaking about a stored XSS, a malicious script is injected and permanently stored in a web page body, this way the user is attacked without performing any actions.
Malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with the site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA 7.1 – 7.5
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2238375
TECHNICAL DESCRIPTION
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to NavigationURLTester.
PoC
http://SAP:50000/irj/servlet/prt/portal/prteventname/XXX/prtroot/ com.sapportals.navigation.testComponent.NavigationURLTester? navigationTarget=ROLES%3a%2f%2fportal_content%2fadministrator%2fsuper_admin% 2fsuper_admin_role%2fcom.sap.portal. system_administration%2fcom.sap.portal.system_admin_ws%2fcom.sap.portal. transport%2fcom.sap.portal.transport_packages%2fcom.sap. portal.wd_admin_studio_export<img%20src%3da%20onerror%3dalert(‘ERPSCAN’) >&portalAlias=& navMode=&queryString=&getNavigationURL=getNavigationURL
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
72.5%