We just got credits for a flaw we found in SAP Netweaver. The issue is a reflected Cross-Site Scripting (XSS). It can be triggered in the administrative interface for the Internet Communication Manager (ICM) and Web Dispatcher. This means that the targets for this XSS will definitely be users with administrative privileges. This makes it especially juicy for an attacker.
SAP rated the vulnerability with CVSS and a Base Score of 4.3 having a Base Vector of AV:N/AC:M/AU:N/C:N/I:P/A:N. Which again opens the discussion on how to rate the impact of XSS by using CVSS. CVSS states that XSS “should be scored with no impact to confidentiality or availability, and partial impact to integrity“, which is clearly arguable. Especially when thinking of the impact on confidentiality. As you might know by now, we tried to tackle the problem of rating vulnerabilities ourselves with the ERNW Rapid Rating System (ERRS) and it was not an easy task. 😉 However, SAP states that this is a correction with high priority, so you should apply the patches as soon as possible.
We think that this is a good opportunity to point you to the TROOPERS 14 BIZEC workshop, which will be held on 18 March 2014! This is the perfect place to discuss SAP security with the experts! 😉
Cheers,
Florian