CVE-2019-0316

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

4.8MEDIUM

EPSS

0.2%

top 57.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Process Integration(sap Xiesr)SAP SE SAP Netweaver Process Integration(sap Xitool)SAP Netweaver Process Integration

Timeline

PublishedJun 14

Latest updateMay 24

Description

SAP NetWeaver Process Integration, versions: SAP_XIESR: 7.20, SAP_XITOOL: 7.10 to 7.11, 7.30, 7.31, 7.40, 7.50, does not sufficiently validate user-controlled inputs, which allows an attacker possessing admin privileges to read and modify data from the victim’s browser, by injecting malicious scripts in certain servlets, which will be executed when the victim is tricked to click on those malicious links, resulting in reflected Cross Site Scripting vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5sap_se/sap_netweaver_process_integration(sap_xiesr)< 7.20

▶CVEListV5sap_se/sap_netweaver_process_integration(sap_xitool)< 7.10 to 7.11+4

▶NVDsap/netweaver_process_integration7 versions+6

🔴Vulnerability Details

GHSA

GHSA-vf7w-fvmr-776r: SAP NetWeaver Process Integration, versions: SAP_XIESR: 7↗2022-05-24

▶

CVEList

CVE-2019-0316: SAP NetWeaver Process Integration, versions: SAP_XIESR: 7↗2019-06-14

▶

💥Exploits & PoCs

Exploit-DB

ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path↗2019-10-15

▶