Skip to main content

Netweaver CVE-2018-2464

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-09-11 cna@sap.com
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 11, 2018 - 15:29 nvd
MEDIUM 6.1

DescriptionNVD

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability.

AnalysisAI

SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. SAP WebDynpro Java, versions 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability. Affected products include: Sap Netweaver.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2012-2611 CRITICAL POC
9.3 May 15

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispa

CVE-2025-31324 CRITICAL POC
10.0 Apr 24

SAP NetWeaver Visual Composer Metadata Uploader lacks proper authorization, allowing unauthenticated agents to upload ma

CVE-2016-2389 HIGH POC
7.5 Feb 16

Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMI

CVE-2015-7241 CRITICAL POC
9.8 Sep 06

XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2012-2612 MEDIUM POC
5.0 May 15

The DiagTraceHex function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0

CVE-2012-2514 MEDIUM POC
5.0 May 15

The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver

CVE-2012-2512 MEDIUM POC
5.0 May 15

The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver

CVE-2014-0995 MEDIUM POC
5.0 Nov 06

The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of serv

CVE-2012-2513 MEDIUM POC
5.0 May 15

The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP

CVE-2012-2511 MEDIUM POC
5.0 May 15

The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.

CVE-2016-4014 HIGH POC
8.6 Apr 14

XML external entity (XXE) vulnerability in the UDDI component in SAP NetWeaver JAVA AS 7.4 allows remote attackers to ca

CVE-2016-1910 MEDIUM POC
5.3 Jan 15

The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors,

Share

CVE-2018-2464 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy