Detections
Analytics
SAP DB / MaxDB WebDBM Multiple Parameter XSS
medium Nessus Plugin ID 36072
Language:
Synopsis
The remote web server contains a script that is affected by multiple cross-site scripting vulnerabilities.Description
The remote web server contains the WebDBM script, a component of SAP DB / MaxDB.The version of this script found on the remote host fails to sanitize user-supplied input to its 'Database', 'User', and 'Password' parameters before using it to generate dynamic content. An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.
Solution
The vendor reportedly recommends replacing WebDBM with 'Database Studio'.See Also
https://www.securityfocus.com/archive/1/502318/30/0/threaded
Plugin Details
Severity: Medium
ID: 36072
File Name: sapdb_webdbm_xss_vulns.nasl
Version: 1.15
Type: remote
Family: CGI abuses : XSS
Published: 4/1/2009
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Vulnerability Information
CPE: cpe:/a:sap:maxdb
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Exploited by Nessus: true
Reference Information
BID: 34319