CVE-2019-0368 - Vulnerability Details - OpenCVE

SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Customer Relationship Management Bbpcrm Customer Relationship Management S4crm

Configuration 1 [-]

OR	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.0:::::::*
	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.01:::::::*
	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.02:::::::*
	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.12:::::::*
	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.13:::::::*
	cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.14:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4crm:1.0:::::::*
	cpe:2.3:a:sap:customer_relationship_management_s4crm:2.0:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/2751806
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2019-10-08T19:17:44

Updated: 2024-08-04T17:44:16.523Z

Reserved: 2018-11-26T00:00:00

Link: CVE-2019-0368

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-10-08T20:15:10.967

Modified: 2024-11-21T04:16:45.080

Link: CVE-2019-0368

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP Customer Relationship Management (Email Management - S4CRM)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 1.0"}, {"status": "affected", "version": "< 2.0"}]}, {"product": "SAP Customer Relationship Management (Email Management - BBPCRM)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.0"}, {"status": "affected", "version": "< 7.01"}, {"status": "affected", "version": "< 7.02"}, {"status": "affected", "version": "< 7.12"}, {"status": "affected", "version": "< 7.13"}, {"status": "affected", "version": "< 7.14"}]}], "descriptions": [{"lang": "en", "value": "SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-08T19:17:44", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2751806"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2019-0368", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Customer Relationship Management (Email Management - S4CRM)", "version": {"version_data": [{"version_name": "<", "version_value": "1.0"}, {"version_name": "<", "version_value": "2.0"}]}}, {"product_name": "SAP Customer Relationship Management (Email Management - BBPCRM)", "version": {"version_data": [{"version_name": "<", "version_value": "7.0"}, {"version_name": "<", "version_value": "7.01"}, {"version_name": "<", "version_value": "7.02"}, {"version_name": "<", "version_value": "7.12"}, {"version_name": "<", "version_value": "7.13"}, {"version_name": "<", "version_value": "7.14"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"}, {"name": "https://launchpad.support.sap.com/#/notes/2751806", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2751806"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:16.523Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2751806"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2019-0368", "datePublished": "2019-10-08T19:17:44", "dateReserved": "2018-11-26T00:00:00", "dateUpdated": "2024-08-04T17:44:16.523Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "149C02A7-B5B7-4753-AF3D-9AE2DD3A2694", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.01:*:*:*:*:*:*:*", "matchCriteriaId": "C45E5362-8858-4297-BF1D-C1B622D9DA1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.02:*:*:*:*:*:*:*", "matchCriteriaId": "BC179EE9-0B4E-4C17-8A52-24A1FF1917AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.12:*:*:*:*:*:*:*", "matchCriteriaId": "54EAF890-CBC9-4189-8CAD-A84D7E26C39F", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.13:*:*:*:*:*:*:*", "matchCriteriaId": "E15EC084-FE80-429E-B0DA-046EDADB8C51", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_bbpcrm:7.14:*:*:*:*:*:*:*", "matchCriteriaId": "277FB4D5-3A87-43C1-BAD8-907BC4B3C9CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4crm:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A67C09B3-26CD-43C2-AE41-DD131C975848", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management_s4crm:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "A682DEE4-75DE-411F-9F95-4AD1035B4193", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP Customer Relationship Management (Email Management), versions: S4CRM before 1.0 and 2.0, BBPCRM before 7.0, 7.01, 7.02, 7.12, 7.13 and 7.14, does not sufficiently encode user-controlled inputs within the mail client resulting in Cross-Site Scripting vulnerability."}, {"lang": "es", "value": "SAP Customer Relationship Management (Email Management), versiones: S4CRM anteriores a 1.0 y 2.0, BBPCRM anteriores a 7.0, 7.01, 7.02, 7.12, 7.13 y 7.14, no codifica suficientemente las entradas controladas por el usuario dentro del cliente de correo, resultando en una vulnerabilidad de tipo Cross-Site Scripting."}], "id": "CVE-2019-0368", "lastModified": "2024-11-21T04:16:45.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-08T20:15:10.967", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2751806"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2751806"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}