CVE-2018-2477XML Injection (aka Blind XPath Injection) in SAP Knowledge Management IN SAP Netweaver

CWE-91XML Injection (aka Blind XPath Injection)3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 28.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP Knowledge Management IN SAP NetweaverSAP Netweaver
Timeline
PublishedNov 13
Latest updateMay 14

Description

Knowledge Management (XMLForms) in SAP NetWeaver, versions 7.30, 7.31, 7.40 and 7.50 does not sufficiently validate an XML document accepted from an untrusted source.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDsap/netweaver4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-gwj3-xxgq-gmc6: Knowledge Management (XMLForms) in SAP NetWeaver, versions 72022-05-14
CVEList
CVE-2018-2477: Knowledge Management (XMLForms) in SAP NetWeaver, versions 72018-11-13
CVE-2018-2477 — SAP vulnerability | cvebase