[ERPSCAN-16-004] SAP NetWeaver 7.4 (Pmitest servlet) – XSS vulnerability

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: http://www.sap.com
Bugs: XSS
Reported: 01.09.2015
Vendor response: 02.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2234918
Author: Vahagn Vardanyan (ERPScan)

Class: Cross-Site Scripting, XSS [CWE-79]
Impact: information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Business risk
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from an attackers’ side – he must make user follow a specially crafted link. Speaking about stored XSS, malicious script is injected and permanently stored in a page body, this way user is attacked without performing any actions.
The malicious script can access all cookies, session tokens and other critical information stored by a browser and used for interaction with the site. An attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.

SAP NetWeaver J2EE Engine 7.40
Other versions are probably affected too, but they were not checked.

To correct this vulnerability, install SAP Security Note 2234918

PMI can be abused by an attacker allowing them to modify displayed application content and to potentially obtain authentication information of other legitimate users.

Anonymous attacker can use special HTTP request to hijack session data of administrators or users of the web resource.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: