Content Spoofing Vulnerability in SAP NetWeaver and UI Technology
CVE-2018-2434

4.3MEDIUM

Key Information:

Vendor

SAP
Status
SAP Netweaver (ui Infra)
SAP Ui Implementation For Decoupled Innovations (ui 700)
SAP Netweaver
SAP User Interface Technology (SAP Ui)
Vendor
CVE Published:
10 July 2018

What is CVE-2018-2434?

A content spoofing issue exists in multiple components of the SAP NetWeaver platform, which can render HTML pages with arbitrary plain text content. This can mislead users, as they may perceive manipulated information as legitimate. The vulnerability is present in several implementations, including UI add-ons and versions of SAP User Interface Technology, but does not allow for the embedding of active content such as JavaScript or hyperlinks, minimizing immediate exploitation risks.

Affected Version(s)

SAP NetWeaver = 7.0

SAP NetWeaver (UI_Infra) = 1.0

SAP UI Implementation for Decoupled Innovations (UI_700) = 2.0

References

http://www.securityfocus.com/bid/105088
vdb-entryx_refsource_BID
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_CONFIRM
https://launchpad.support.sap.com/#/notes/2633180
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.