CVE-2019-0370

EUVD-2019-1143
Due to missing input validation, SAP Financial Consolidation, before versions 10.0 and 10.1, enables an attacker to use crafted input to interfere with the structure of the surrounding query leading to XPath Injection.
aka Blind XPath Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
sapfinancial_consolidation
10.0
sapfinancial_consolidation
10.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://launchpad.support.sap.com/#/notes/2806403
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050
https://launchpad.support.sap.com/#/notes/2806403
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528123050