CVE-2018-2434 — Insufficient Verification of Data Authenticity in SAP Netweaver

CWE-345 — Insufficient Verification of Data Authenticity3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 67.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver SAP UI Implementation FOR Decoupled Innovations SAP User Interface Technology +3 more

Timeline

PublishedJul 10

Latest updateMay 13

Description

A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an end user: UI add-on for SAP NetWeaver (UI_Infra, 1.0), SAP UI Implementation for Decoupled Innovations (UI_700, 2.0): SAP NetWeaver 7.00 Implementation, SAP User Interface Technology (SAP_UI 7.4, 7.5, 7.51, 7.52). There is little impact as it is not possible to embed active contents such as JavaScript or hyperlinks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages6 packages

▶NVDsap/user_interface_technology4 versions+3

▶CVEListV5sap/sap_user_interface_technology4 versions+3

▶CVEListV5sap/sap_ui_implementation_for_decoupled_innovations= 2.0

▶NVDsap/netweaver7.0

▶CVEListV5sap/sap_netweaver= 1.0, = 7.0+1

🔴Vulnerability Details

GHSA

GHSA-q7pg-c8qp-g8w8: A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an↗2022-05-13

▶

CVEList

CVE-2018-2434: A content spoofing vulnerability in the following components allows to render html pages containing arbitrary plain text content, which might fool an↗2018-07-10

▶