CVE-2018-2424

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.5HIGH

EPSS

0.3%

top 47.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Hana Database SAP SE SAP UI SAP SE SAP UI5 +6 more

Timeline

PublishedJun 12

Latest updateMay 13

Description

SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages9 packages

▶NVDsap/hana_database1.00, 2.00+1

▶CVEListV5sap_se/sap_hana_database1.0, 2.0+1

▶NVDsap/ui5_java4 versions+3

▶CVEListV5sap_se/sap_ui5(java)4 versions+3

▶CVEListV5sap_se/sap_ui_for_sap_netweaver_7.002.0

🔴Vulnerability Details

GHSA

GHSA-5q23-7rqm-g3pj: SAP UI5 did not validate user input before adding it to the DOM structure↗2022-05-13

▶

CVEList

CVE-2018-2424: SAP UI5 did not validate user input before adding it to the DOM structure↗2018-06-12

▶