Vulnerability Details : CVE-2019-0319
The SAP Gateway, versions 7.5, 7.51, 7.52 and 7.53, allows an attacker to inject content which is displayed in the form of an error message. An attacker could thus mislead a user to believe this information is from the legitimate service when it's not.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-0319
- cpe:2.3:a:sap:ui5:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:sap:gateway:7.51:*:*:*:*:*:*:*
- cpe:2.3:a:sap:gateway:7.53:*:*:*:*:*:*:*
- cpe:2.3:a:sap:gateway:7.52:*:*:*:*:*:*:*
- cpe:2.3:a:sap:gateway:7.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-0319
7.87%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-0319
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-0319
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-0319
-
https://drive.google.com/open?id=1aGFqggvydehSK7MFIsfKW7tO60yiF55f
CVE-2019-0319.txt - Google DriveExploit;Third Party Advisory
-
https://cxsecurity.com/ascii/WLB-2019050283
SAP UI5 1.0.0 is vulnerable to Content Spoofing in multiples parametersThird Party Advisory
-
https://launchpad.support.sap.com/#/notes/2752614
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
https://launchpad.support.sap.com/#/notes/2911267
SAP ONE Support Launchpad: Log On
-
http://packetstormsecurity.com/files/153661/SAPUI5-1.0.0-SAP-Gateway-7.5-7.51-7.52-7.53-Content-Spoofing.html
SAPUI5 1.0.0 / SAP Gateway 7.5 / 7.51 / 7.52 / 7.53 Content Spoofing ≈ Packet StormExploit;Third Party Advisory
-
http://www.securityfocus.com/bid/109074
SAP Gateway CVE-2019-0319 Content Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575
SAP Security Patch Day – July 2019 - Product Security Response at SAP - SCN WikiVendor Advisory
Jump to