[ERPSCAN-16-015] SAP NetWeaver Java AS – multiple XSS vulnerabilities

Application: SAP NetWeaver
Versions Affected: SAP NetWeaver 7.4
Vendor URL: SAP
Bugs: XSS
Reported: 29.09.2015
Vendor response: 30.09.2015
Date of Public Advisory: 08.03.2016
Reference: SAP Security Note 2238765
Author: Vahagn Vardanyan (ERPScan)


Class: XSS
Impact: leakage of sensitive data
Remotely Exploitable: Yes
Locally Exploitable: No
CVSS Information
CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) Required (R)
S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Changed (C)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity Low (L)
A : Impact to Availability None (N)

Anonymous attacker can use a special HTTP request to hijack session data of administrators or users of a web resource.

Business risk
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from attackers’ side – they must make user follow a specially crafted link. Speaking about stored XSS, a malicious script is injected and permanently stored in a page body, this way the user is attacked without performing any actions.
The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with the site. The attacker can gain access to user’s session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.


SAP NetWeaver AS JAVA 7.1 – 7.5
Other versions are probably affected too, but they were not checked.


To correct this vulnerability, install SAP Security Note 2238765


Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to CacheTimestampTest


http://SAP:50000/irj/servlet/prt/portal/prtroot/ com.sap.portal.cache.XXX.CacheTimestampTest? action=register&applicationName=%3Cimg%20src%3da%20onerror% 3dalert%28%27ERPSCAN%27%29%3E