Skip links

CVE-2019-0370 Multiple Vulnerabilities in SAP Financial Consolidation, SAP security note 2806403

Description

The SAP security note addresses several vulnerabilities identified in SAP Financial Consolidation. The vulnerability details along with their CVE relevant information can be found below.

1. XPath Injection

The SAP Financial Consolidation legacy web enables malicious users to use crafted input to break out of the data context in which their input appears and to interfere with the structure of the surrounding query.

  • CVE-2019-0370
  • CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Some well Known impact of Xpath injection vulnerability include

  • exploitation of an XPath injection flaw in order to read sensitive application data or to interfere with application logic.

2. Cross Site Scripting

The SAP Financial Consolidation legacy web client does not sufficiently encode user controlled inputs, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2019-0369
  • CVSS Score: 5.4; CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Some well-known impacts of XSS vulnerability include

  • non-permanently deface or modify displayed content from a web site
  • steal authentication information of the user, such as data relating to their current session
  • impersonate the user and access all information with the same rights as the target user

Available fix and Supported packages

  • FINANCE | 1000 | 1000
  • FINANCE | 1010 | 1010
  • SBOP FINANCIAL CONS. 10.0 | SP019 | 000010
  • SBOP FINANCIAL CONS. 10.0 | SP020 | 000000
  • SBOP FINANCIAL CONS. 10.1 | SP008 | 000002
  • SBOP FINANCIAL CONS. 10.1 | SP009 | 000000

Affected component

    EPM-BFC-TCL
    Technical Components

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2806403

TAGS

#BOFC
#BFC
#XPath-Injection
#Reflected-XSS
#&160-CSS
#CVE-2019-0370
#CVE-2019-0369