Sign-up

ID

VAR-201809-0959


CVE

CVE-2018-2452


TITLE

SAP NetWeaver AS Java Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-010218

DESCRIPTION

The logon application of SAP NetWeaver AS Java 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50 does not sufficiently encode user-controlled inputs, resulting in a cross-site scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP NetWeaver AS Java 7.10 through 7.11, 7.20, 7.30, 7.31, 7.40 and 7.50 are vulnerable

Trust: 1.89

sources: NVD: CVE-2018-2452 // JVNDB: JVNDB-2018-010218 // BID: 105325

AFFECTED PRODUCTS

vendor:sapmodel:netweaver application server javascope:eqversion:7.31

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.30

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.40

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.11

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.50

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.10

Trust: 1.0

vendor:sapmodel:netweaver application server javascope:eqversion:7.20

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:application server java 7.10 to 7.11

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:application server java 7.20

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:application server java 7.30

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:application server java 7.31

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:application server java 7.40

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:application server java 7.50

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.11

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.10

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 0.6

vendor:sapmodel:netweaver as javascope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.40

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.20

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.11

Trust: 0.3

vendor:sapmodel:netweaver as javascope:eqversion:7.10

Trust: 0.3

sources: BID: 105325 // JVNDB: JVNDB-2018-010218 // CNNVD: CNNVD-201809-559 // NVD: CVE-2018-2452

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2452
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-2452
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201809-559
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2452
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2452
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2018-2452
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2018-010218 // CNNVD: CNNVD-201809-559 // NVD: CVE-2018-2452

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-010218 // NVD: CVE-2018-2452

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-559

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201809-559

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010218

PATCH
title:SAP Security Patch Day - September 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993
Trust: 0.8
title:SAP NetWeaver AS Java Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84829
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010218 // 
            
            
            
            CNNVD: CNNVD-201809-559

EXTERNAL IDS
db:NVDid:CVE-2018-2452
Trust: 2.7
db:BIDid:105325
Trust: 1.9
db:JVNDBid:JVNDB-2018-010218
Trust: 0.8
db:CNNVDid:CNNVD-201809-559
Trust: 0.6
sources:
            
            
            BID: 105325 // 
            
            
            
            JVNDB: JVNDB-2018-010218 // 
            
            
            
            CNNVD: CNNVD-201809-559 // 
            
            
            
            NVD: CVE-2018-2452

REFERENCES
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=499356993
Trust: 1.9
url:https://launchpad.support.sap.com/#/notes/2623846
Trust: 1.6
url:http://www.securityfocus.com/bid/105325
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2452
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2452
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
url:https://service.sap.com/sap/support/notes/2623846
Trust: 0.3
sources:
            
            
            BID: 105325 // 
            
            
            
            JVNDB: JVNDB-2018-010218 // 
            
            
            
            CNNVD: CNNVD-201809-559 // 
            
            
            
            NVD: CVE-2018-2452

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105325

SOURCES
db:BIDid:105325
db:JVNDBid:JVNDB-2018-010218
db:CNNVDid:CNNVD-201809-559
db:NVDid:CVE-2018-2452

LAST UPDATE DATE
2024-11-23T21:52:49.027000+00:00

SOURCES UPDATE DATE
db:BIDid:105325date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010218date:2018-12-07T00:00:00
db:CNNVDid:CNNVD-201809-559date:2021-04-22T00:00:00
db:NVDid:CVE-2018-2452date:2024-11-21T04:03:50.470

SOURCES RELEASE DATE
db:BIDid:105325date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010218date:2018-12-07T00:00:00
db:CNNVDid:CNNVD-201809-559date:2018-09-11T00:00:00
db:NVDid:CVE-2018-2452date:2018-09-11T15:29:00.720