CVE-2018-2435 — Cross-site Scripting in SAP Netweaver Enterprise Portal

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 38.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP Netweaver Enterprise Portal SAP Netweaver Enterprise Portal

Timeline

PublishedJul 10

Latest updateMay 14

Description

SAP NetWeaver Enterprise Portal from 7.0 to 7.02, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/netweaver_enterprise_portal7.0 — 7.02+6

▶CVEListV5sap/sap_netweaver_enterprise_portal7 versions+6

🔴Vulnerability Details

GHSA

GHSA-6xrr-gr25-qh39: SAP NetWeaver Enterprise Portal from 7↗2022-05-14

▶

CVEList

CVE-2018-2435: SAP NetWeaver Enterprise Portal from 7↗2018-07-10

▶

💬Community

Bugzilla

CVE-2018-12824 CVE-2018-12826 CVE-2018-12827 flash-plugin: Information Disclosure vulnerabilities (APSB18-25)↗2018-08-14

▶

Bugzilla

CVE-2018-12825 flash-plugin: Security Mitigation Bypass vulnerability (APSB18-25)↗2018-08-14

▶

Bugzilla

CVE-2018-12828 flash-plugin: Privilege Escalation vulnerability (APSB18-25)↗2018-08-14

▶