Details of VAR-202108-0227

ID

VAR-202108-0227

CVE

CVE-2018-17862

TITLE

SAP J2EE Engine Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-016610

DESCRIPTION

A cross-site scripting (XSS) vulnerability in SAP J2EE Engine/7.01/Fiori allows remote attackers to inject arbitrary web script via the sys_jdbc parameter to /TestJDBC_Web/test2. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials

Trust: 1.98

sources: NVD: CVE-2018-17862 // JVNDB: JVNDB-2018-016610 // BID: 107471 // VULMON: CVE-2018-17862

AFFECTED PRODUCTS

vendor:	sap	model:	j2ee engine	scope:	eq	version:	7.01	Trust: 1.8
vendor:	sap	model:	j2ee engine	scope:	eq	version:	-	Trust: 0.8
vendor:	sap	model:	j2ee engine core	scope:	eq	version:	7.01	Trust: 0.3

sources: BID: 107471 // JVNDB: JVNDB-2018-016610 // NVD: CVE-2018-17862

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-17862
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-17862
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201903-063
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2018-17862
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2018-17862
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2018-17862
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2018-17862
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2018-17862 // JVNDB: JVNDB-2018-016610 // CNNVD: CNNVD-201903-063 // NVD: CVE-2018-17862

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2018-016610 // NVD: CVE-2018-17862

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-063

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201903-063

PATCH

title:	Top Page	url:	https://www.sap.com	Trust: 0.8
title:	SAP J2EE Engine Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89741	Trust: 0.6

sources: JVNDB: JVNDB-2018-016610 // CNNVD: CNNVD-201903-063

EXTERNAL IDS

db:	NVD	id:	CVE-2018-17862	Trust: 3.6
db:	PACKETSTORM	id:	151946	Trust: 1.7
db:	BID	id:	107471	Trust: 0.9
db:	JVNDB	id:	JVNDB-2018-016610	Trust: 0.8
db:	NSFOCUS	id:	42867	Trust: 0.6
db:	CNNVD	id:	CNNVD-201903-063	Trust: 0.6
db:	VULMON	id:	CVE-2018-17862	Trust: 0.1

sources: VULMON: CVE-2018-17862 // BID: 107471 // JVNDB: JVNDB-2018-016610 // CNNVD: CNNVD-201903-063 // NVD: CVE-2018-17862

REFERENCES

url:	http://seclists.org/fulldisclosure/2019/mar/8	Trust: 2.5
url:	http://packetstormsecurity.com/files/151946/sap-j2ee-engine-7.01-fiori-test2-cross-site-scripting.html	Trust: 2.4
url:	https://seclists.org/bugtraq/2019/mar/5	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2018-17862	Trust: 0.8
url:	http://www.nsfocus.net/vulndb/42867	Trust: 0.6
url:	http://www.securityfocus.com/bid/107471	Trust: 0.6
url:	http://www.sap.com	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2018-17862 // BID: 107471 // JVNDB: JVNDB-2018-016610 // CNNVD: CNNVD-201903-063 // NVD: CVE-2018-17862

CREDITS

Ece Orsel from Biznet Bilisim.,Ece Orsel ,Ece Orsel

Trust: 0.6

sources: CNNVD: CNNVD-201903-063

SOURCES

db:	VULMON	id:	CVE-2018-17862
db:	BID	id:	107471
db:	JVNDB	id:	JVNDB-2018-016610
db:	CNNVD	id:	CNNVD-201903-063
db:	NVD	id:	CVE-2018-17862

LAST UPDATE DATE

2024-08-14T15:01:22.134000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2018-17862	date:	2021-08-13T00:00:00
db:	BID	id:	107471	date:	2019-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-016610	date:	2022-05-09T08:31:00
db:	CNNVD	id:	CNNVD-201903-063	date:	2021-08-16T00:00:00
db:	NVD	id:	CVE-2018-17862	date:	2024-08-05T11:15:37.317

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2018-17862	date:	2021-08-09T00:00:00
db:	BID	id:	107471	date:	2019-03-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-016610	date:	2022-05-09T00:00:00
db:	CNNVD	id:	CNNVD-201903-063	date:	2019-03-04T00:00:00
db:	NVD	id:	CVE-2018-17862	date:	2021-08-09T19:15:07.563