Cross Site Tracing Vulnerability in SAP Business One Service Layer
CVE-2018-2502

6.1MEDIUM

Key Information:

Vendor

SAP
Status
SAP Business One Service Layer (b1 On Hana)
Vendor
CVE Published:
11 December 2018

What is CVE-2018-2502?

The vulnerability arises from the TRACE method being enabled in SAP Business One Service Layer. This configuration allows attackers to exploit a Cross Site Tracing (XST) attack, particularly when frontend applications utilizing the Service Layer possess existing Cross Site Scripting (XSS) vulnerabilities. It is imperative for users of SAP Business One to apply the latest updates, as fixes were implemented in versions 9.2 and 9.3 to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

SAP Business One Service Layer (B1_ON_HANA) = 9.2 = 9.2

SAP Business One Service Layer (B1_ON_HANA) = 9.3 = 9.3

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
http://www.securityfocus.com/bid/106173
vdb-entryx_refsource_BID
https://launchpad.support.sap.com/#/notes/2680492
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.