CVE-2015-7729

Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via unspecified vectors, aka SAP Security Note 2153892.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://packetstormsecurity.com/files/133763/SAP-HANA-test-net.xsjs-Code-Injection.html
http://seclists.org/fulldisclosure/2015/Sep/112
https://www.onapsis.com/research/security-advisories/sap-hana-xsjs-code-injection-test-net
https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:hana:1.00.091.00:*:*:*:developer:*:*:*

Information

Published : 2015-10-15 13:59

Updated : 2015-10-16 08:06

NVD link : CVE-2015-7729

Mitre link : CVE-2015-7729

JSON object : View

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

Products Affected

sap

hana

6.5 /10