[ERPSCAN-16-001] SAP NetWeaver 7.4 (MDT component) – XSS vulnerability
Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: http://www.sap.com
Vendor response: 02.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2206793
Author: Vahagn Vardanyan (ERPScan)
Class: Cross-Site Scripting, XSS [CWE-79]
Impact: information disclosure, still anti-SCRF tokens
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Base Score: 4.3 / 10
CVSS Base Vector:
|AV : Access Vector (Related exploit range)||Network (N)|
|AC : Access Complexity (Required attack complexity)||Medium (M)|
|Au : Authentication (Level of authentication needed to exploit)||None (N)|
|C : Impact to Confidentiality||None (N)|
|I : Impact to Integrity||Partial (P)|
|A : Impact to Availability||None (N)|
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from an attackers’ side – he must make a user follow a specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way the user is attacked without performing any actions.
The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with the site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.
Anonymous attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.
SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2206793
RWB can be abused by attackers allowing them to modify displayed application content and to potentially obtain authentication information from other legitimate users.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: