CVE-2016-3975

Name of the Vulnerable Software and Affected Versions SAP NetWeaver AS Java versions 7.1 through 7.5

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the navigationTarget parameter to the "/irj/servlet/prt/portal/prteventname/XXX/prtroot/com.sapportals.navigation.testComponent.NavigationURLTester" API endpoint.

Recommendations For SAP NetWeaver AS Java versions 7.1 through 7.5, consider restricting access to the vulnerable API endpoint until a fix is available. Avoid using the navigationTarget parameter in the affected endpoint to minimize the risk of exploitation.