Vulnerabilities > CVE-2017-8913 - XXE vulnerability in SAP Netweaver 7.5

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

sap

CWE-611

NVD

Published: 2017-05-23

Updated: 2018-12-10

Summary

The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via a crafted XML document in a request to irj/servlet/prt/portal/prtroot/com.sap.visualcomposer.BIKit.default, aka SAP Security Note 2386873.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Netweaver 7.5	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://erpscan.io/advisories/erpscan-17-007-sap-netweaver-java-7-5-xxe-visual-composer-vc70runtime/
https://erpscan.io/press-center/blog/sap-cyber-threat-intelligence-report-february-2017/