ID

VAR-201810-1087


CVE

CVE-2018-2470


TITLE

SAP NetWeaver Application Server for ABAP Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2018-010819

DESCRIPTION

In SAP NetWeaver Application Server for ABAP, from 7.0 to 7.02, 7.30, 7.31, 7.40 and from 7.50 to 7.53, applications do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP NetWeaver AS ABAP 7.0 through 7.02, 7.30, 7.31, 7.40 and 7.50 through 7.53 are vulnerable

Trust: 1.98

sources: NVD: CVE-2018-2470 // JVNDB: JVNDB-2018-010819 // BID: 105551 // VULMON: CVE-2018-2470

AFFECTED PRODUCTS

vendor:sapmodel:netweaverscope:eqversion:7.30

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.31

Trust: 2.4

vendor:sapmodel:netweaverscope:eqversion:7.40

Trust: 2.4

vendor:sapmodel:netweaverscope:gteversion:7.0

Trust: 1.0

vendor:sapmodel:netweaverscope:gteversion:7.50

Trust: 1.0

vendor:sapmodel:netweaverscope:lteversion:7.53

Trust: 1.0

vendor:sapmodel:netweaverscope:lteversion:7.02

Trust: 1.0

vendor:sapmodel:netweaverscope:eqversion:7.02 for up to 7.0

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.50 to 7.53

Trust: 0.8

vendor:sapmodel:netweaverscope:eqversion:7.53

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.50

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.02

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.01

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.52

Trust: 0.6

vendor:sapmodel:netweaverscope:eqversion:7.51

Trust: 0.6

vendor:sapmodel:netweaver as abapscope:eqversion:7.53

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.52

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.50

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.40

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.31

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.30

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.02

Trust: 0.3

vendor:sapmodel:netweaver as abapscope:eqversion:7.0

Trust: 0.3

sources: BID: 105551 // JVNDB: JVNDB-2018-010819 // CNNVD: CNNVD-201810-449 // NVD: CVE-2018-2470

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-2470
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-2470
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201810-449
value: MEDIUM

Trust: 0.6

VULMON: CVE-2018-2470
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-2470
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2018-2470
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.0

Trust: 1.8

sources: VULMON: CVE-2018-2470 // JVNDB: JVNDB-2018-010819 // CNNVD: CNNVD-201810-449 // NVD: CVE-2018-2470

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2018-010819 // NVD: CVE-2018-2470

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201810-449

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201810-449

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:sap:netweaver"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2018-010819

PATCH

title:October 2018 (2684760)url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=500633095

Trust: 0.8

title:SAP NetWeaver Application Server for ABAP Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85640

Trust: 0.6

sources: JVNDB: JVNDB-2018-010819 // CNNVD: CNNVD-201810-449

EXTERNAL IDS

db:NVDid:CVE-2018-2470

Trust: 2.8

db:BIDid:105551

Trust: 1.4

db:JVNDBid:JVNDB-2018-010819

Trust: 0.8

db:CNNVDid:CNNVD-201810-449

Trust: 0.6

db:VULMONid:CVE-2018-2470

Trust: 0.1

sources: VULMON: CVE-2018-2470 // BID: 105551 // JVNDB: JVNDB-2018-010819 // CNNVD: CNNVD-201810-449 // NVD: CVE-2018-2470

REFERENCES

url:https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageid=500633095

Trust: 2.0

url:https://launchpad.support.sap.com/#/notes/2684760

Trust: 2.0

url:http://www.securityfocus.com/bid/105551

Trust: 1.2

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-2470

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-2470

Trust: 0.8

url:http://www.sap.com

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2018-2470 // BID: 105551 // JVNDB: JVNDB-2018-010819 // CNNVD: CNNVD-201810-449 // NVD: CVE-2018-2470

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 105551

SOURCES

db:VULMONid:CVE-2018-2470
db:BIDid:105551
db:JVNDBid:JVNDB-2018-010819
db:CNNVDid:CNNVD-201810-449
db:NVDid:CVE-2018-2470

LAST UPDATE DATE

2024-11-23T22:26:07.993000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2018-2470date:2018-11-26T00:00:00
db:BIDid:105551date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-010819date:2018-12-25T00:00:00
db:CNNVDid:CNNVD-201810-449date:2018-10-26T00:00:00
db:NVDid:CVE-2018-2470date:2024-11-21T04:03:52.430

SOURCES RELEASE DATE

db:VULMONid:CVE-2018-2470date:2018-10-09T00:00:00
db:BIDid:105551date:2018-10-09T00:00:00
db:JVNDBid:JVNDB-2018-010819date:2018-12-25T00:00:00
db:CNNVDid:CNNVD-201810-449date:2018-10-10T00:00:00
db:NVDid:CVE-2018-2470date:2018-10-09T13:29:01.633