Vulnerability Details : CVE-2015-4091
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2015-4091
- cpe:2.3:a:sap:sap_netweaver_application_server_java:7.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4091
0.66%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4091
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2015-4091
-
http://packetstormsecurity.com/files/133122/SAP-NetWeaver-AS-Java-XXE-Injection.html
SAP NetWeaver AS Java XXE Injection ≈ Packet Storm
-
http://www.securityfocus.com/archive/1/536239/100/0/threaded
SecurityFocus
-
http://www.securityfocus.com/bid/74850
SAP NetWeaver Application Server Java CVE-2015-4091 XML External Entity Injection Vulnerability
-
https://erpscan.io/advisories/erpscan-15-013-sap-netweaver-as-java-cim-upload-xxe
[ERPSCAN-15-013] SAP NetWeaver AS Java CIM UPLOAD - XXE
-
http://seclists.org/fulldisclosure/2015/May/96
Full Disclosure: SAP Security Notes May 2015
Jump to