[ERPSCAN-15-019] SAP Afaria – Stored XSS

Application: SAP Afaria 7
Vendor URL: http://www.sap.com
Bugs: XSS
Reported: 18.02.2015
Vendor response: 18.02.2015
Date of Public Advisory: 11.08.2015
Reference: SAP Security Note 2152669
Authors: Dmitry Chastukhin (ERPScan)

Vulnerability information
Class: XML External Entity [CWE-79]
Impact: Stored cross-site scripting, XSS, Afaria Server, Configuration Information Disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-6663
CVSS Information
CVSS Base Score: 4.3 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Medium (M)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Business Risk
A legitimate user of SAP can insert a malicious script into SAP and gain unauthorized access to the workstation of any user who opens the link.

Client name data comes from user packets and is inserted into the web page “Device Inspector” in the “Client” form without escaping.

Vulnerable packages
SAP Afaria 7, other versions are probably affected too, but they were not checked.

Solutions and workarounds
To correct this vulnerability, install SAP Security Note 2152669

Technical description
Anonymous attacker can use a special request to inject a malicious JS code by sending data to the attachment (q) on Xcomms port (3007 by default )


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: