Details of VAR-201802-0846

ID

VAR-201802-0846

CVE

CVE-2018-2371

TITLE

SAP Netweaver AS Java Web Application Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-002273

DESCRIPTION

The SAML 2.0 service provider of SAP Netweaver AS Java Web Application, 7.50, does not sufficiently encode user controlled inputs, which results in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2018-2371 // JVNDB: JVNDB-2018-002273 // BID: 103005

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver java web application	scope:	eq	version:	7.50	Trust: 1.6
vendor:	sap	model:	netweaver application server java	scope:	eq	version:	web application 7.50	Trust: 0.8
vendor:	sap	model:	netweaver	scope:	eq	version:	7.50	Trust: 0.3

sources: BID: 103005 // JVNDB: JVNDB-2018-002273 // CNNVD: CNNVD-201802-944 // NVD: CVE-2018-2371

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-2371
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-2371
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201802-944
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-2371
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2018-2371
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2018-002273 // CNNVD: CNNVD-201802-944 // NVD: CVE-2018-2371

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-002273 // NVD: CVE-2018-2371

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201802-944

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201802-944

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-002273

PATCH

title:

February 2018 (2560741)

url:

https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/

Trust: 0.8

sources: JVNDB: JVNDB-2018-002273

EXTERNAL IDS

db:	NVD	id:	CVE-2018-2371	Trust: 2.7
db:	BID	id:	103005	Trust: 2.7
db:	JVNDB	id:	JVNDB-2018-002273	Trust: 0.8
db:	CNNVD	id:	CNNVD-201802-944	Trust: 0.6

sources: BID: 103005 // JVNDB: JVNDB-2018-002273 // CNNVD: CNNVD-201802-944 // NVD: CVE-2018-2371

REFERENCES

url:	http://www.securityfocus.com/bid/103005	Trust: 2.4
url:	https://launchpad.support.sap.com/#/notes/2560741	Trust: 1.9
url:	https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/	Trust: 1.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2371	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-2371	Trust: 0.8
url:	http://www.sap.com	Trust: 0.3

sources: BID: 103005 // JVNDB: JVNDB-2018-002273 // CNNVD: CNNVD-201802-944 // NVD: CVE-2018-2371

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 103005

SOURCES

db:	BID	id:	103005
db:	JVNDB	id:	JVNDB-2018-002273
db:	CNNVD	id:	CNNVD-201802-944
db:	NVD	id:	CVE-2018-2371

LAST UPDATE DATE

2024-11-23T23:05:14.474000+00:00

SOURCES UPDATE DATE

db:	BID	id:	103005	date:	2018-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-002273	date:	2018-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201802-944	date:	2018-04-24T00:00:00
db:	NVD	id:	CVE-2018-2371	date:	2024-11-21T04:03:41.850

SOURCES RELEASE DATE

db:	BID	id:	103005	date:	2018-02-13T00:00:00
db:	JVNDB	id:	JVNDB-2018-002273	date:	2018-04-05T00:00:00
db:	CNNVD	id:	CNNVD-201802-944	date:	2018-02-14T00:00:00
db:	NVD	id:	CVE-2018-2371	date:	2018-02-14T12:29:00.390