Vulnerability Description
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester, aka SAP Security Note 2238375.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Netweaver Application Server Java | >= 7.10, <= 7.50 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/137529/SAP-NetWeaver-AS-JAVA-7.5-Cross-SiteExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2016/Jun/42ExploitMailing ListThird Party Advisory
- https://erpscan.io/advisories/erpscan-16-014-sap-netweaver-7-4-navigationurltestThird Party Advisory
- https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/Third Party Advisory
- http://packetstormsecurity.com/files/137529/SAP-NetWeaver-AS-JAVA-7.5-Cross-SiteExploitThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2016/Jun/42ExploitMailing ListThird Party Advisory
- https://erpscan.io/advisories/erpscan-16-014-sap-netweaver-7-4-navigationurltestThird Party Advisory
- https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/Third Party Advisory
FAQ
What is CVE-2016-3975?
CVE-2016-3975 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to irj/servlet/prt/p...
How severe is CVE-2016-3975?
CVE-2016-3975 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-3975?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver Application Server Java.