ERPScanERPSCAN-16-021SAP xMII - Reflected XSS vulnerability
0.003 Low
EPSS
Percentile
71.8%
Application: SAP NetWeaver AS JAV **Versions Affected:**SAP NetWeaver AS JAVA 7.4 **Vendor URL: ** SAP **Bugs: **XSS **Reported: **05.05.2015 **Vendor response:**06.05.2015 **Date of Public Advisory:**12.04.2016 **Reference: **SAP Security Note 2201295 Author: Nursultan Abubakirov , Vahagn Vardanyan (ERPScan)
VULNERABILITY INFORMATION
Class: Cross-site scripting
Impact: steal user’s cookies, modify web page contents
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-4016
CVSS Information
CVSS Base Score v3: 6.1 / 10
CVSS Base Vector:
| AV : Attack Vector (Related exploit range) | Network (N) |
|---|---|
| AC : Attack Complexity (Required attack complexity) | Low (L) |
| PR : Privileges Required (Level of privileges needed to exploit) | None (N) |
| UI : User Interaction (Required user participation) | Required ® |
| S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) | Changed © |
| C : Impact to Confidentiality | Low (L) |
| I : Impact to Integrity | Low (L) |
| A : Impact to Availability | None (N) |
Description
Anonymous attacker can use a special HTTP request to hijack session data of administrators or users of a web resource.
Business risk
An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page.
Reflected XSS feature is the necessity of tricking a user from an attackers’ side – they must make user follow a specially crafted link. Speaking about stored XSS, the malicious script is injected and permanently stored in a page body, thus a victim is attacked without performing any actions.
The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with the site. The attacker can gain access to user session and learn business-critical information, in some cases it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed site content.
VULNERABLE PACKAGES
SAP NetWeaver AS JAVA xMII 7.4
Other versions are probably affected too, but they were not checked.
SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SA Security2201295
TECHNICAL DESCRIPTION
Proof of Concept
http://SAP_URL:SAP_PORT/webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication?view=com.sap.itsam.cfg.mii.admin.KPIMonitor&deployable=sap.com/xapps~xmii~ui~admin~alert&component=com.sap.xapps.xmii.ui.admin.rootcomponent.RootComponent&title=</script><img src=a onerror=alert(“ERPScan”)>#
1
|
http://SAP_URL:SAP_PORT/webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication?view=com.sap.itsam.cfg.mii.admin.KPIMonitor&deployable=sap.com/xapps~xmii~ui~admin~alert&component=com.sap.xapps.xmii.ui.admin.rootcomponent.RootComponent&title=</script><img src=a onerror=alert(“ERPScan”)>#
—|—
Related
