CVE-2018-2424

SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
sapCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
saphana_database
1.00
saphana_database
2.00
sapui
2.0
sapui
7.40
sapui
7.50
sapui
7.51
sapui
7.52
sapui5
1.00
sapui5_java
7.30
sapui5_java
7.31
sapui5_java
7.40
sapui5_java
7.50
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/104459
https://launchpad.support.sap.com/#/notes/2538856
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255
http://www.securityfocus.com/bid/104459
https://launchpad.support.sap.com/#/notes/2538856
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255