CVE-2015-2811

XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2111939.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/132358/SAP-NetWeaver-Portal-7.31-XXE-Injection.html
http://seclists.org/fulldisclosure/2015/Jun/64
http://www.securityfocus.com/archive/1/535827/100/800/threaded
http://www.securityfocus.com/bid/73691
https://erpscan.io/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*

History

No history.

Information

Published : 2015-04-01 14:59

Updated : 2023-12-10 11:31

NVD link : CVE-2015-2811

Mitre link : CVE-2015-2811

CVE.ORG link : CVE-2015-2811

JSON object : View

Products Affected

sap

netweaver_enterprise_portal

CWE

NVD-CWE-Other

{"id": "CVE-2015-2811", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-04-01T14:59:09.973", "references": [{"url": "http://packetstormsecurity.com/files/132358/SAP-NetWeaver-Portal-7.31-XXE-Injection.html", "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2015/Jun/64", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/archive/1/535827/100/800/threaded", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/73691", "source": "cve@mitre.org"}, {"url": "https://erpscan.io/advisories/erpscan-15-006-sap-netweaver-portal-reportxmlviewer-xxe/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2111939."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en ReportXmlViewer en SAP NetWeaver Portal 7.31.201109172004 permite a atacantes remotos enviar solicitudes a servidores de intranet a trav\u00e9s de XML manipulado, tambi\u00e9n conocido como la nota de seguridad de SAP Security 2111939."}], "lastModified": "2018-12-10T19:29:06.983", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_enterprise_portal:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E666D8FD-1F21-4E97-80BB-D560AB125DB5"}], "operator": "OR"}]}], "evaluatorComment": "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", "sourceIdentifier": "cve@mitre.org"}