Vulnerability-Lookup

CNVD-2016-02489

Vulnerability from cnvd - Published: 2016-04-25

Title

SAP Manufacturing Integration Intelligence跨站脚本漏洞

Description

SAP Manufacturing Integration Intelligence（又名MII,前称xMII）是德国思爱普（SAP）公司的一套将核心的生产制造系统与企业流程集成的平台。 SAP Manufacturing Integration Intelligence存在跨站脚本漏洞，允许远程攻击者通过向量与 UR 管制有关的注入任意web脚本或HTML。

Severity

中

Patch Name

SAP Manufacturing Integration Intelligence跨站脚本漏洞的补丁

Patch Description

Formal description

用户可联系供应商获得补丁信息： http://go.sap.com/index.html

Reference

https://erpscan.com/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/ https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4016

Impacted products

Name
SAP NetWeaver AS JAVA 7.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-4016"
    }
  },
  "description": "SAP Manufacturing Integration Intelligence\uff08\u53c8\u540dMII,\u524d\u79f0xMII\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u5c06\u6838\u5fc3\u7684\u751f\u4ea7\u5236\u9020\u7cfb\u7edf\u4e0e\u4f01\u4e1a\u6d41\u7a0b\u96c6\u6210\u7684\u5e73\u53f0\u3002\r\n\r\nSAP Manufacturing Integration Intelligence\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u5411\u91cf\u4e0e UR \u7ba1\u5236\u6709\u5173\u7684\u6ce8\u5165\u4efb\u610fweb\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Nursultan Abubakirov , Vahagn Vardanyan (ERPScan)",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://go.sap.com/index.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-02489",
  "openTime": "2016-04-25",
  "patchDescription": "SAP Manufacturing Integration Intelligence\uff08\u53c8\u540dMII,\u524d\u79f0xMII\uff09\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u5c06\u6838\u5fc3\u7684\u751f\u4ea7\u5236\u9020\u7cfb\u7edf\u4e0e\u4f01\u4e1a\u6d41\u7a0b\u96c6\u6210\u7684\u5e73\u53f0\u3002\r\n\r\nSAP Manufacturing Integration Intelligence\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u901a\u8fc7\u5411\u91cf\u4e0e UR \u7ba1\u5236\u6709\u5173\u7684\u6ce8\u5165\u4efb\u610fweb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Manufacturing Integration Intelligence\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP NetWeaver AS JAVA 7.4"
  },
  "referenceLink": "https://erpscan.com/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/\r\nhttps://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4016",
  "serverity": "\u4e2d",
  "submitTime": "2016-04-21",
  "title": "SAP Manufacturing Integration Intelligence\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2016-4016 (GCVE-0-2016-4016)

Vulnerability from cvelistv5 – Published: 2016-04-14 14:00 – Updated: 2024-08-06 00:17

Summary

Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://erpscan.io/press-center/blog/dos-vulnerab…	x_refsource_MISC
	https://erpscan.io/advisories/erpscan-16-021-sap-…	x_refsource_MISC
	http://seclists.org/fulldisclosure/2016/Jul/46	mailing-listx_refsource_FULLDISC
	http://packetstormsecurity.com/files/137920/SAP-x…	x_refsource_MISC

Date Public ?

2016-04-12 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T00:17:30.886Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://erpscan.io/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/"
          },
          {
            "name": "20160715 [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2016/Jul/46"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/137920/SAP-xMII-15-Cross-Site-Scripting.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-04-12T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-12-10T17:57:01.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://erpscan.io/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/"
        },
        {
          "name": "20160715 [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2016/Jul/46"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/137920/SAP-xMII-15-Cross-Site-Scripting.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2016-4016",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) 15 allows remote attackers to inject arbitrary web script or HTML via the title parameter to webdynpro/resources/sap.com/xapps~xmii~ui~admin~navigation/NavigationApplication, aka SAP Security Note 2201295."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/",
              "refsource": "MISC",
              "url": "https://erpscan.io/press-center/blog/dos-vulnerabilities-on-the-rise-sap-security-notes-april-2016/"
            },
            {
              "name": "https://erpscan.io/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/",
              "refsource": "MISC",
              "url": "https://erpscan.io/advisories/erpscan-16-021-sap-mii-reflected-xss-vulnerability/"
            },
            {
              "name": "20160715 [ERPSCAN-16-021] SAP xMII - Reflected XSS vulnerability",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2016/Jul/46"
            },
            {
              "name": "http://packetstormsecurity.com/files/137920/SAP-xMII-15-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/137920/SAP-xMII-15-Cross-Site-Scripting.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2016-4016",
    "datePublished": "2016-04-14T14:00:00.000Z",
    "dateReserved": "2016-04-14T00:00:00.000Z",
    "dateUpdated": "2024-08-06T00:17:30.886Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-02489

CVE-2016-4016 (GCVE-0-2016-4016)

Tags

Sightings

Nomenclature