PT-2015-5585 · Sap · Sap Hana+1
Will Vandevanter
·
Published
2015-02-27
·
Updated
2018-10-09
·
CVE-2015-2072
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
SAP HANA version 1.00.73.00.389160
SAP HANA Developer Edition version 1.00.80.00.391861
Description
The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, affecting the SAP HANA and HANA Developer Edition. This can be done through the "ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs" or "xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs" endpoints.
Recommendations
For SAP HANA version 1.00.73.00.389160, consider restricting access to the "ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs" and "xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs" endpoints until a fix is available.
For SAP HANA Developer Edition version 1.00.80.00.391861, consider restricting access to the "ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs" and "xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs" endpoints until a fix is available.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sap Hana
Sap Hana Developer Edition