CVE-2008-1846Cross-site Scripting in SAP Netweaver

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 33.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP Netweaver
Timeline
PublishedApr 16
Latest updateMay 1

Description

The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDsap/netweaver7.0

🔴Vulnerability Details

2
GHSA
GHSA-v2h7-hrfg-524r: The default configuration of SAP NetWeaver before 72022-05-01
CVEList
CVE-2008-1846: The default configuration of SAP NetWeaver before 72008-04-16
CVE-2008-1846 — Cross-site Scripting in SAP Netweaver | cvebase