CVE-2015-8840
HIGHSAP NetWeaver AS Java - Missing Authorization in XML Data Archiving Service
Title source: llmDescription
The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.
References (2)
Core 2
Core References
Broken Link x_refsource_misc
http://scn.sap.com/community/security/blog/2015/07/15/sap-security-notes-july-2015
Third Party Advisory x_refsource_misc
https://erpscan.io/advisories/erpscan-15-017-sap-netweaver-j2ee-das-service-unauthorized-access/
Scores
CVSS v3
8.8
EPSS
0.0048
EPSS Percentile
65.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (1)
sap/netweaver_application_server_java
Published
Apr 08, 2016
Tracked Since
Feb 18, 2026