Cross-Site Scripting Vulnerability in SAP J2EE Engine by SAP
CVE-2018-17865

6.1MEDIUM

Key Information:

Vendor: SAP
Status: J2ee Engine
Vendor: CVE Published:; 9 August 2021

Summary

A cross-site scripting vulnerability exists in SAP J2EE Engine 7.01, enabling remote attackers to exploit the wsdlPath parameter of the /ctcprotocol/Protocol endpoint. This weakness allows for the injection of arbitrary web scripts, compromising the integrity of the web application. Notably, this vulnerability affects products that are no longer supported by the vendor, leaving them unpatched and susceptible to exploitation.

References

https://seclists.org/bugtraq/2019/Mar/6

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Aug 9, 2021
Vulnerability Reserved
Oct 1, 2018