PT-2016-5785 · Sap · Sap Netweaver As Java

Vahagn Vardanyan

Published

2016-04-07

Updated

2021-04-20

CVE-2016-3973

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Java AS versions 7.1 through 7.5

Description The issue allows remote attackers to obtain sensitive user information by exploiting the chat feature in the Real-Time Collaboration (RTC) services. This can be done by visiting the "/webdynpro/resources/sap.com/tc~~rtc~~coll.appl.rtc~wd chat/Chat#" endpoint, pressing "Add users", and then performing a search.

Recommendations For SAP NetWeaver Java AS versions 7.1 through 7.5, consider restricting access to the chat feature in the Real-Time Collaboration (RTC) services until a fix is available. As a temporary workaround, avoid using the search function in the chat feature to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2016-3973

Affected Products

Sap Netweaver As Java

PT-2016-5785 · Sap · Sap Netweaver As Java

CVE-2016-3973

Weakness Enumeration

Related Identifiers

Affected Products

References · 6