Vulnerability Name:

CVE-2011-4805 (CCN-69854)

Assigned:2011-09-15
Published:2011-09-15
Updated:2018-10-09
Summary:Cross-site scripting (XSS) vulnerability in pubDBLogon.jsp in SAP Crystal Report Server 2008 allows remote attackers to inject arbitrary web script or HTML via the service parameter.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2011-4805

Source: CCN
Type: DSECRG-11-032
SAP NetWeaver ipcpricing - information disclose

Source: MISC
Type: Exploit
http://dsecrg.com/pages/vul/show.php?id=333

Source: CCN
Type: SA46055
SAP Crystal Reports "service" Cross-Site Scripting Vulnerability

Source: CCN
Type: OSVDB ID: 75588
SAP Crystal Reports pubDBLogon.jsp service Parameter XSS

Source: CONFIRM
Type: UNKNOWN
http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a

Source: BUGTRAQ
Type: UNKNOWN
20111117 [DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ÕSS vulnerability

Source: CCN
Type: BID-49656
SAP Crystal Report Server 2008 'pubDBLogon.jsp' Cross Site Scripting Vulnerability

Source: XF
Type: UNKNOWN
crystal-reports-pubdblogon-xss(69854)

Source: CCN
Type: SAP Web site
SAP Note 1562292

Source: CONFIRM
Type: UNKNOWN
https://service.sap.com/sap/support/notes/1562292

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:crystal_reports_server:2008:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sap crystal reports server 2008