CVE-2019-0305

CWE-1021 — Clickjacking CWE-502 — Deserialization of Untrusted Data3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 62.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Process Integration(sap Xiesr AND SAP Xitool)SAP Netweaver Process Integration

Timeline

PublishedJun 12

Latest updateMay 24

Description

Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_process_integration(sap_xiesr_and_sap_xitool)< 7.10 to 7.11+5

▶NVDsap/netweaver_process_integration7 versions+6

🔴Vulnerability Details

GHSA

GHSA-gw78-fprf-vrm2: Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7↗2022-05-24

▶

CVEList

CVE-2019-0305: Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7↗2019-06-12

▶