CVE-2016-2387

Name of the Vulnerable Software and Affected Versions SAP NetWeaver version 7.4

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Java Proxy Runtime ProxyServer servlet. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the ns or interface parameter to "ProxyServer/register". The vulnerability exists due to the lack of protection of the web page structure, which can be exploited by a remote attacker to inject arbitrary web or HTML code.

Recommendations For SAP NetWeaver version 7.4, apply the fix as described in SAP Security Note 2220571 to resolve the issue. As a temporary workaround, consider restricting access to the ProxyServer/register endpoint to minimize the risk of exploitation. Avoid using the ns and interface parameters in the affected API endpoint until the issue is resolved.