CVE-2020-6367

{"id": "CVE-2020-6367", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2020-10-20T14:15:14.697", "references": [{"url": "https://launchpad.support.sap.com/#/notes/2972661", "tags": ["Permissions Required", "Vendor Advisory"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "There is a reflected cross site scripting vulnerability in SAP NetWeaver Composite Application Framework, versions - 7.20, 7.30, 7.31, 7.40, 7.50. An unauthenticated attacker can trick an unsuspecting authenticated user to click on a malicious link. The end users browser has no way to know that the script should not be trusted, and will execute the script, resulting in sensitive information being disclosed or modified."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de tipo cross site scripting reflejado en SAP NetWeaver Composite Application Framework, versiones - 7.20, 7.30, 7.31, 7.40, 7.50. Un atacante no autenticado puede enga\u00f1ar a un usuario autenticado desprevenido para que hacer clic en un enlace malicioso. El navegador de los usuarios finales no tiene manera de saber que no se debe confiar en el script y ejecutar\u00e1 el script, resultando en que la informaci\u00f3n confidencial sea divulgada o modificada"}], "lastModified": "2020-10-22T16:43:08.323", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_composite_application_framework:7.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9862EFDD-34F6-4E5E-A819-70B501934BA7"}, {"criteria": "cpe:2.3:a:sap:netweaver_composite_application_framework:7.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45603CA5-CADE-4BBC-B5DA-E80607370222"}, {"criteria": "cpe:2.3:a:sap:netweaver_composite_application_framework:7.31:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "431E8D8F-03D7-4BA3-B247-CA709B07E676"}, {"criteria": "cpe:2.3:a:sap:netweaver_composite_application_framework:7.40:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BF099EE-C2B2-4076-A905-5558B31EBD3A"}, {"criteria": "cpe:2.3:a:sap:netweaver_composite_application_framework:7.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8391EA9C-A8BA-49D2-9EFE-CBAAB57F9B0E"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}