VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 24, 2015· Updated May 6, 2026

CVE-2015-6662

CVE-2015-6662

Description

XML external entity (XXE) vulnerability in SAP NetWeaver Portal 7.4 allows remote attackers to read arbitrary files and possibly have other unspecified impact via crafted XML data, aka SAP Security Note 2168485.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SAP NetWeaver Portal 7.4 is vulnerable to XXE attacks, allowing remote authenticated attackers to read arbitrary files or cause denial of service via crafted XML data.

Vulnerability

An XML External Entity (XXE) vulnerability exists in SAP NetWeaver Portal 7.4, as described in SAP Security Note 2168485 [1]. The flaw occurs when the portal processes crafted XML data containing external entity declarations, enabling an attacker to read arbitrary server files or launch denial of service attacks through entity expansion. The vulnerability is officially designated as CWE-611 and affects SAP NetWeaver 7.4; other versions may also be impacted but were not tested [1].

Exploitation

An attacker must have network access to the vulnerable SAP NetWeaver Portal and be authenticated with a single user account (CVSS vector indicates Authentication: Single) [1]. The attacker sends a specially crafted XML request that includes a malicious Document Type Definition (DTD) referencing external entities. The portal processes the DTD and resolves the external entity, either returning the contents of a local file in the response or performing a denial of service via entity expansion [1]. Exploitation is remotely exploitable and does not require local access [1].

Impact

Successful exploitation leads to information disclosure (arbitrary file read on the server) and potential denial of service [1]. The CVSSv2 base score is 4.9 (Medium), with partial impact to confidentiality and availability, and no impact to integrity [1]. Additional unspecified impacts may include SMB relay attacks, where the server is tricked into authenticating to an attacker-controlled machine via the crafted XML [1].

Mitigation

SAP has released Security Note 2168485 to address this vulnerability [1]. Administrators should apply the corresponding patch to SAP NetWeaver 7.4 as soon as possible. No workarounds are provided in the available references; installation of the security note is the recommended course of action [1].

References
  1. Full Disclosure: [ERPSCAN-15-018] SAP NetWeaver 7.4

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The XML parser used by the landscape access component does not disable external entity processing, allowing XXE attacks via a crafted DTD in the ApplicationDefinition.xml file [ref_id=1] [CWE-611]."

Attack vector

An attacker with administrative privileges (single authentication required) sends a crafted XML request to the vulnerable URL `/irj/servlet/prt/portal/prteventname/upload/prtroot/com.sap.portal.landscape.access.LSXMLParse` [ref_id=1]. The malicious XML includes a DTD that defines an external entity referencing an attacker-controlled server (`SYSTEM "http://IP:PORT/"`) [ref_id=1]. When the server parses the XML, it resolves the external entity, allowing the attacker to read arbitrary files from the server, perform a denial-of-service via entity expansion, or conduct an SMB relay attack [ref_id=1] [CWE-611].

Affected code

The vulnerability affects the SAP NetWeaver Portal 7.4 functionality used by an administrator to import applications. The vulnerable URL is `/irj/servlet/prt/portal/prteventname/upload/prtroot/com.sap.portal.landscape.access.LSXMLParse` [ref_id=1]. The attacker replaces the `ApplicationDefinition.xml` file with malicious XML code [ref_id=1].

What the fix does

The advisory states that to correct this vulnerability, administrators must install SAP Security Note 2168485 [ref_id=1]. No patch diff is provided in the bundle, so the specific code changes are not shown. The fix presumably disables external entity resolution in the XML parser used by the landscape access component, preventing DTD-based XXE attacks.

Preconditions

  • authAttacker must have administrative access (single authentication) to the SAP NetWeaver Portal
  • networkAttacker must be able to reach the vulnerable URL on the network
  • inputAttacker must supply a crafted XML file (ApplicationDefinition.xml) containing a malicious DTD

Reproduction

1. Authenticate as an administrator to the SAP NetWeaver Portal 7.4 instance. 2. Send a crafted XML request to the URL `http://IP:50000/irj/servlet/prt/portal/prteventname/upload/prtroot/com.sap.portal.landscape.access.LSXMLParse` [ref_id=1]. 3. The malicious XML payload is: ```xml

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.