CVE-2018-2504

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.4%
top 41.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SAP Netweaver AS Java (servercore)SAP Netweaver Application Server Java
Timeline
PublishedDec 11
Latest updateMay 13

Description

SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation or Cross-Site Scripting (XSS) vulnerability. This is fixed in versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDsap/netweaver_application7 versions+6

🔴Vulnerability Details

2
GHSA
GHSA-68g7-p6mm-52jc: SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation2022-05-13
CVEList
CVE-2018-2504: SAP NetWeaver AS Java Web Container service does not validate against whitelist the HTTP host header which can result in HTTP Host Header Manipulation2018-12-11
CVE-2018-2504 (MEDIUM CVSS 6.1) | SAP NetWeaver AS Java Web Container | cvebase.io