ID
VAR-201806-1433
CVE
CVE-2018-2424
TITLE
SAP UI5 Input validation vulnerability
Trust: 0.8
DESCRIPTION
SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00. SAP UI5 is prone to an cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks
Trust: 1.89
AFFECTED PRODUCTS
| vendor: | sap | model: | ui | scope: | eq | version: | 7.52 | Trust: 2.7 |
| vendor: | sap | model: | ui | scope: | eq | version: | 7.51 | Trust: 2.7 |
| vendor: | sap | model: | ui | scope: | eq | version: | 7.50 | Trust: 2.7 |
| vendor: | sap | model: | ui | scope: | eq | version: | 7.40 | Trust: 2.7 |
| vendor: | sap | model: | hana database | scope: | eq | version: | 1.00 | Trust: 2.4 |
| vendor: | sap | model: | ui | scope: | eq | version: | 2.0 | Trust: 2.1 |
| vendor: | sap | model: | ui5 | scope: | eq | version: | 1.00 | Trust: 1.9 |
| vendor: | sap | model: | hana database | scope: | eq | version: | 2.00 | Trust: 1.8 |
| vendor: | sap | model: | ui5 java | scope: | eq | version: | 7.50 | Trust: 1.6 |
| vendor: | sap | model: | ui5 java | scope: | eq | version: | 7.31 | Trust: 1.6 |
| vendor: | sap | model: | ui5 java | scope: | eq | version: | 7.30 | Trust: 1.6 |
| vendor: | sap | model: | ui5 java | scope: | eq | version: | 7.40 | Trust: 1.6 |
| vendor: | sap | model: | ui | scope: | eq | version: | 5 1.00 | Trust: 0.8 |
| vendor: | sap | model: | ui | scope: | eq | version: | 5 java 7 | Trust: 0.8 |
| vendor: | sap | model: | ui | scope: | eq | version: | 50 | Trust: 0.8 |
| vendor: | sap | model: | ui | scope: | eq | version: | 5 java 7.30 | Trust: 0.8 |
| vendor: | sap | model: | ui | scope: | eq | version: | 5 java 7.31 | Trust: 0.8 |
| vendor: | sap | model: | ui | scope: | eq | version: | 5 java 7.40 | Trust: 0.8 |
| vendor: | sap | model: | ui5 | scope: | eq | version: | 7.50 | Trust: 0.3 |
| vendor: | sap | model: | ui5 | scope: | eq | version: | 7.40 | Trust: 0.3 |
| vendor: | sap | model: | ui5 | scope: | eq | version: | 7.31 | Trust: 0.3 |
| vendor: | sap | model: | ui5 | scope: | eq | version: | 7.30 | Trust: 0.3 |
| vendor: | sap | model: | netweaver | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | sap | model: | hana db | scope: | eq | version: | 2.00 | Trust: 0.3 |
| vendor: | sap | model: | hana db | scope: | eq | version: | 1.00 | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
PROBLEMTYPE DATA
| problemtype: | CWE-20 | Trust: 1.8 |
THREAT TYPE
remote
Trust: 0.6
TYPE
Input Validation Error
Trust: 0.9
CONFIGURATIONS
PATCH
| title: | June 2018 Security Releases | url: | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255 | Trust: 0.8 |
| title: | SAP Hana DB , UI5 and UI Security vulnerabilities | url: | http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80900 | Trust: 0.6 |
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-2424 | Trust: 2.7 |
| db: | BID | id: | 104459 | Trust: 1.9 |
| db: | JVNDB | id: | JVNDB-2018-006576 | Trust: 0.8 |
| db: | CNNVD | id: | CNNVD-201806-735 | Trust: 0.6 |
REFERENCES
| url: | https://launchpad.support.sap.com/#/notes/2538856 | Trust: 1.9 |
| url: | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=495289255 | Trust: 1.9 |
| url: | http://www.securityfocus.com/bid/104459 | Trust: 1.6 |
| url: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2424 | Trust: 0.8 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-2424 | Trust: 0.8 |
| url: | http://www.sap.com | Trust: 0.3 |
CREDITS
The vendor reported this issue.
Trust: 0.3
SOURCES
| db: | BID | id: | 104459 |
| db: | JVNDB | id: | JVNDB-2018-006576 |
| db: | CNNVD | id: | CNNVD-201806-735 |
| db: | NVD | id: | CVE-2018-2424 |
LAST UPDATE DATE
2024-11-23T23:08:38.602000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 104459 | date: | 2018-06-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2018-006576 | date: | 2018-08-24T00:00:00 |
| db: | CNNVD | id: | CNNVD-201806-735 | date: | 2019-10-17T00:00:00 |
| db: | NVD | id: | CVE-2018-2424 | date: | 2024-11-21T04:03:47.570 |
SOURCES RELEASE DATE
| db: | BID | id: | 104459 | date: | 2018-06-12T00:00:00 |
| db: | JVNDB | id: | JVNDB-2018-006576 | date: | 2018-08-24T00:00:00 |
| db: | CNNVD | id: | CNNVD-201806-735 | date: | 2018-06-13T00:00:00 |
| db: | NVD | id: | CVE-2018-2424 | date: | 2018-06-12T15:29:00.307 |