Sign-up

ID

VAR-202108-0228


CVE

CVE-2018-17865


TITLE

SAP J2EE Engine  Cross-site Scripting Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-016608

DESCRIPTION

A cross-site scripting (XSS) vulnerability in SAP J2EE Engine 7.01 allows remote attackers to inject arbitrary web script via the wsdlPath parameter to /ctcprotocol/Protocol. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials

Trust: 1.98

sources: NVD: CVE-2018-17865 // JVNDB: JVNDB-2018-016608 // BID: 107467 // VULMON: CVE-2018-17865

AFFECTED PRODUCTS

vendor:sapmodel:j2ee enginescope:eqversion:7.01

Trust: 1.8

vendor:sapmodel:j2ee enginescope:eqversion: -

Trust: 0.8

vendor:sapmodel:j2ee engine corescope:eqversion:7.01

Trust: 0.3

sources: BID: 107467 // JVNDB: JVNDB-2018-016608 // NVD: CVE-2018-17865

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-17865
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-17865
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201903-064
value: MEDIUM

Trust: 0.6

VULMON: CVE-2018-17865
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-17865
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2018-17865
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2018-17865
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2018-17865 // JVNDB: JVNDB-2018-016608 // CNNVD: CNNVD-201903-064 // NVD: CVE-2018-17865

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2018-016608 // NVD: CVE-2018-17865

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-064

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-201903-064

PATCH

title:Top Pageurl:http://www.sap.com/index.html

Trust: 0.8

title:SAP J2EE Engine Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89742

Trust: 0.6

sources: JVNDB: JVNDB-2018-016608 // CNNVD: CNNVD-201903-064

EXTERNAL IDS

db:NVDid:CVE-2018-17865

Trust: 3.6

db:BIDid:107467

Trust: 0.9

db:JVNDBid:JVNDB-2018-016608

Trust: 0.8

db:PACKETSTORMid:151947

Trust: 0.7

db:NSFOCUSid:42865

Trust: 0.6

db:CNNVDid:CNNVD-201903-064

Trust: 0.6

db:VULMONid:CVE-2018-17865

Trust: 0.1

sources: VULMON: CVE-2018-17865 // BID: 107467 // JVNDB: JVNDB-2018-016608 // CNNVD: CNNVD-201903-064 // NVD: CVE-2018-17865

REFERENCES

url:https://seclists.org/bugtraq/2019/mar/6

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2018-17865

Trust: 0.8

url:https://packetstormsecurity.com/files/151947/sap-j2ee-engine-7.01-fiori-protocol-cross-site-scripting.html

Trust: 0.7

url:http://www.securityfocus.com/bid/107467

Trust: 0.6

url:http://www.nsfocus.net/vulndb/42865

Trust: 0.6

url:http://www.sap.com

Trust: 0.3

url:https://cwe.mitre.org/data/definitions/79.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2018-17865 // BID: 107467 // JVNDB: JVNDB-2018-016608 // CNNVD: CNNVD-201903-064 // NVD: CVE-2018-17865

CREDITS

Ece Orsel from Biznet Bilisim.,Ece Orsel   ,Ece Orsel

Trust: 0.6

sources: CNNVD: CNNVD-201903-064

SOURCES

db:VULMONid:CVE-2018-17865
db:BIDid:107467
db:JVNDBid:JVNDB-2018-016608
db:CNNVDid:CNNVD-201903-064
db:NVDid:CVE-2018-17865

LAST UPDATE DATE

2024-08-14T15:22:12.016000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2018-17865date:2021-08-13T00:00:00
db:BIDid:107467date:2019-03-04T00:00:00
db:JVNDBid:JVNDB-2018-016608date:2022-05-02T09:16:00
db:CNNVDid:CNNVD-201903-064date:2021-08-16T00:00:00
db:NVDid:CVE-2018-17865date:2024-08-05T11:15:37.390

SOURCES RELEASE DATE

db:VULMONid:CVE-2018-17865date:2021-08-09T00:00:00
db:BIDid:107467date:2019-03-04T00:00:00
db:JVNDBid:JVNDB-2018-016608date:2022-05-02T00:00:00
db:CNNVDid:CNNVD-201903-064date:2019-03-04T00:00:00
db:NVDid:CVE-2018-17865date:2021-08-09T19:15:07.600