Skip to main content

Enable Now CVE-2019-0385

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2019-11-13 cna@sap.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Nov 13, 2019 - 22:15 nvd
MEDIUM 6.5

DescriptionNVD

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

AnalysisAI

SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. SAP Enable Now, before version 1908, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Affected products include: Sap Enable Now. Version information: version 1908.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2019-0403 CRITICAL
9.8 Dec 11

SAP Enable Now, before version 1911, allows an attacker to input commands into the CSV files, which will be executed whe

CVE-2019-0341 HIGH
8.8 Aug 14

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. Rated high severity (CVSS

CVE-2019-0405 HIGH
7.5 Dec 11

SAP Enable Now, before version 1911, leaks information about the existence of a particular user which can be used to con

CVE-2019-0404 HIGH
7.5 Dec 11

SAP Enable Now, before version 1911, leaks information about network configuration in the server error messages, leading

CVE-2023-36918 MEDIUM
6.1 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X

CVE-2023-33988 MEDIUM
6.1 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the C

CVE-2022-35297 MEDIUM
5.4 Oct 11

The application SAP Enable Now does not sufficiently encode user-controlled inputs over the network before it is placed

CVE-2020-6178 MEDIUM
5.4 Mar 10

SAP Enable Now, before version 1911, sends the Session ID cookie value in URL. Rated medium severity (CVSS 5.4), this vu

CVE-2019-0340 MEDIUM
5.4 Aug 14

The XML parser, which is being used by SAP Enable Now, before version 1902, has not been hardened correctly, leading to

CVE-2023-36919 MEDIUM
5.3 Jul 11

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the R

CVE-2024-34692 MEDIUM
4.6 Jul 09

Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary

CVE-2021-27637 MEDIUM
4.6 Jun 09

Under certain conditions SAP Enable Now (SAP Workforce Performance Builder - Manager), versions - 1.0, 10 allows an atta

Share

CVE-2019-0385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy