CVE-2016-2387
MEDIUMSAP NetWeaver 7.4 - Cross-Site Scripting via ProxyServer Servlet Parameters
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet in SAP NetWeaver 7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) ns or (2) interface parameter to ProxyServer/register, aka SAP Security Note 2220571.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/137045/SAP-NetWeaver-AS-JAVA-7.4-Cross-Site-Scripting.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2016/May/39
Third Party Advisory x_refsource_misc
https://erpscan.io/advisories/erpscan-16-008-sap-netweaver-7-4-proxyserver-servlet-xss-vulnerability/
Third Party Advisory x_refsource_misc
https://erpscan.io/press-center/blog/sap-security-notes-february-2016-review/
Scores
CVSS v3
6.1
EPSS
0.0023
EPSS Percentile
45.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
sap/netweaver
7.40
Published
Feb 16, 2016
Tracked Since
Feb 18, 2026