CVE-2019-0370

MEDIUM

SAP Financial Consolidation <10.0-10.1 - XPath Injection

Title source: llm

Description

Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.

References (2)

[Vendor Advisory] https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050

[Permissions Required] https://launchpad.support.sap.com/#/notes/2806403

Scores

CVSS v3 6.5

EPSS 0.0029

EPSS Percentile 51.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-91

Status published

Products (2)

sap/financial_consolidation 10.0

sap/financial_consolidation 10.1

Published Oct 08, 2019

Tracked Since Feb 18, 2026