Description
Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2755502
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
Scores
CVSS v3
4.3
EPSS
0.0016
EPSS Percentile
36.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
CWE
CWE-1021
Status
published
Products (7)
sap/netweaver_process_integration
7.10
sap/netweaver_process_integration
7.11
sap/netweaver_process_integration
7.20
sap/netweaver_process_integration
7.30
sap/netweaver_process_integration
7.31
sap/netweaver_process_integration
7.40
sap/netweaver_process_integration
7.50
Published
Jun 12, 2019
Tracked Since
Feb 18, 2026