Vulnerability Details : CVE-2019-0370
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
Products affected by CVE-2019-0370
- cpe:2.3:a:sap:financial_consolidation:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:sap:financial_consolidation:10.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-0370
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-0370
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2019-0370
-
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-0370
-
https://launchpad.support.sap.com/#/notes/2806403
Permissions Required
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050
Vendor Advisory
Jump to