Sign-up

ID

VAR-201809-0969


CVE

CVE-2018-2464


TITLE

SAP WebDynpro Java Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-010219

DESCRIPTION

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 1.89

sources: NVD: CVE-2018-2464 // JVNDB: JVNDB-2018-010219 // BID: 105308

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 2.7

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 2.7

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 2.7

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 2.7

vendor:sapmodel:netweaverscope:eqversion:7.20

Trust: 2.7

sources: BID: 105308 // JVNDB: JVNDB-2018-010219 // CNNVD: CNNVD-201809-493 // NVD: CVE-2018-2464

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2464
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-2464
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201809-493
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-2464
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-2464
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-010219 // CNNVD: CNNVD-201809-493 // NVD: CVE-2018-2464

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-010219 // NVD: CVE-2018-2464

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-493

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201809-493

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-010219

PATCH
title:SAP Security Patch Day - September 2018url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499356993
Trust: 0.8
title:SAP WebDynpro Java Fixes for cross-site scripting vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84764
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-010219 // 
            
            
            
            CNNVD: CNNVD-201809-493

EXTERNAL IDS
db:NVDid:CVE-2018-2464
Trust: 2.7
db:BIDid:105308
Trust: 1.9
db:JVNDBid:JVNDB-2018-010219
Trust: 0.8
db:CNNVDid:CNNVD-201809-493
Trust: 0.6
sources:
            
            
            BID: 105308 // 
            
            
            
            JVNDB: JVNDB-2018-010219 // 
            
            
            
            CNNVD: CNNVD-201809-493 // 
            
            
            
            NVD: CVE-2018-2464

REFERENCES
url:https://launchpad.support.sap.com/#/notes/2679378
Trust: 1.9
url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=499356993
Trust: 1.9
url:http://www.securityfocus.com/bid/105308
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2464
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-2464
Trust: 0.8
url:http://www.sap.com
Trust: 0.3
sources:
            
            
            BID: 105308 // 
            
            
            
            JVNDB: JVNDB-2018-010219 // 
            
            
            
            CNNVD: CNNVD-201809-493 // 
            
            
            
            NVD: CVE-2018-2464

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 105308

SOURCES
db:BIDid:105308
db:JVNDBid:JVNDB-2018-010219
db:CNNVDid:CNNVD-201809-493
db:NVDid:CVE-2018-2464

LAST UPDATE DATE
2024-11-23T21:38:17.551000+00:00

SOURCES UPDATE DATE
db:BIDid:105308date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010219date:2018-12-07T00:00:00
db:CNNVDid:CNNVD-201809-493date:2018-09-14T00:00:00
db:NVDid:CVE-2018-2464date:2024-11-21T04:03:51.707

SOURCES RELEASE DATE
db:BIDid:105308date:2018-09-11T00:00:00
db:JVNDBid:JVNDB-2018-010219date:2018-12-07T00:00:00
db:CNNVDid:CNNVD-201809-493date:2018-09-11T00:00:00
db:NVDid:CVE-2018-2464date:2018-09-11T15:29:02.017