CVE-2018-2424

high-risk
Published 2018-06-12

SAP UI5 did not validate user input before adding it to the DOM structure. This may lead to malicious user-provided JavaScript code being added to the DOM that could steal user information. Software components affected are: SAP Hana Database 1.00, 2.00; SAP UI5 1.00; SAP UI5 (Java) 7.30, 7.31, 7.40, 7,50; SAP UI 7.40, 7.50, 7.51, 7.52, and version 2.0 of SAP UI for SAP NetWeaver 7.00

Do I need to act?

-
0.29% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (12)

Hana Database
Hana Database
Ui
Ui
Ui
Ui
Ui
Ui5
Ui5 Java
Ui5 Java
Ui5 Java
Ui5 Java

Affected Vendors

Sap

References (6)

Third Party Advisory http://www.securityfocus.com/bid/104459
Permissions Required https://launchpad.support.sap.com/#/notes/2538856
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255
Third Party Advisory http://www.securityfocus.com/bid/104459
Permissions Required https://launchpad.support.sap.com/#/notes/2538856
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=495289255
50
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 17/34 · Moderate