VAR-201402-0240
Vulnerability from variot - Updated: 2025-04-11 23:04Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. Portal handles the vulnerability of WebDyn Pro and can leak path information. 2, the message server has an unspecified error, allowing the attacker to exploit the vulnerability to crash the server. 3. 4. Some of the relevant ISpeakAdapter inputs lack filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. A remote attacker can exploit a vulnerability to get sensitive information or crash an application. SAP NetWeaver is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. Multiple cross-site scripting vulnerabilities 3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201402-0240",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "netweaver",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver exchange infrastructure \\",
"scope": "eq",
"trust": 1.6,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver exchange infrastructure",
"scope": null,
"trust": 0.8,
"vendor": "sap",
"version": null
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.6,
"vendor": "sap",
"version": "7.x"
},
{
"model": "netweaver",
"scope": "eq",
"trust": 0.3,
"vendor": "sap",
"version": "0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "BID",
"id": "65547"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:sap:netweaver",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:sap:netweaver_exchange_infrastructure_%28bc-xi%29",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Alexander Polyakov, George Nosenko and Dmitry Chastukhin",
"sources": [
{
"db": "BID",
"id": "65547"
}
],
"trust": 0.3
},
"cve": "CVE-2014-1964",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2014-1964",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2014-01007",
"impactScore": 4.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-1964",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2014-1964",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2014-01007",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201402-207",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting (XSS) vulnerability in the Integration Repository in the SAP Exchange Infrastructure (BC-XI) component in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via vectors related to the ESR application and a DIR error. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There are several vulnerabilities in SAP NetWeaver: 1. Portal handles the vulnerability of WebDyn Pro and can leak path information. 2, the message server has an unspecified error, allowing the attacker to exploit the vulnerability to crash the server. 3. 4. Some of the relevant ISpeakAdapter inputs lack filtering before returning to the user, allowing remote attackers to exploit the vulnerability for cross-site scripting attacks to obtain sensitive information or hijack user sessions. A remote attacker can exploit a vulnerability to get sensitive information or crash an application. SAP NetWeaver is prone to multiple security vulnerabilities, including:\n1. An information-disclosure vulnerability\n2. Multiple cross-site scripting vulnerabilities\n3. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-1964"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "BID",
"id": "65547"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-1964",
"trust": 3.0
},
{
"db": "SECUNIA",
"id": "56947",
"trust": 1.6
},
{
"db": "BID",
"id": "65547",
"trust": 0.9
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2014-01007",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "BID",
"id": "65547"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"id": "VAR-201402-0240",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
}
],
"trust": 0.87111164
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
}
]
},
"last_update_date": "2025-04-11T23:04:01.817000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Acknowledgments to Security Researchers",
"trust": 0.8,
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"title": "SAP NetWeaver has multiple vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/43676"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://erpscan.com/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/"
},
{
"trust": 1.6,
"url": "https://service.sap.com/sap/support/notes/1788080"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/56947"
},
{
"trust": 1.6,
"url": "http://scn.sap.com/docs/doc-8218"
},
{
"trust": 1.0,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91095"
},
{
"trust": 1.0,
"url": "https://erpscan.io/advisories/erpscan-14-005-sap-netweaver-dir-error-xss/"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-1964"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-1964"
},
{
"trust": 0.6,
"url": "http://erpscan.com/advisories/erpscan-14-001-sap-netweaver-message-server-dos/"
},
{
"trust": 0.6,
"url": "http://erpscan.com/advisories/erpscan-14-002-sap-portal-webdynpro-path-disclosure/"
},
{
"trust": 0.6,
"url": "http://erpscan.com/advisories/erpscan-14-006-sap-netweaver-pip-xss/"
},
{
"trust": 0.3,
"url": "http://www.sap.com"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "BID",
"id": "65547"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"db": "BID",
"id": "65547"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"date": "2014-02-01T00:00:00",
"db": "BID",
"id": "65547"
},
{
"date": "2014-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"date": "2014-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"date": "2014-02-14T15:55:07.563000",
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-02-18T00:00:00",
"db": "CNVD",
"id": "CNVD-2014-01007"
},
{
"date": "2014-02-01T00:00:00",
"db": "BID",
"id": "65547"
},
{
"date": "2014-02-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-001414"
},
{
"date": "2014-02-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201402-207"
},
{
"date": "2025-04-11T00:51:21.963000",
"db": "NVD",
"id": "CVE-2014-1964"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "SAP NetWeaver of Exchange Infrastructure Component cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-001414"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201402-207"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…