Cross Site Tracing Vulnerability in SAP Business One Service Layer
CVE-2018-2502

6.1MEDIUM

Key Information:

Vendor
SAP
Status
SAP Business One Service Layer (b1 On Hana)
Vendor
CVE Published:
11 December 2018

Summary

The vulnerability arises from the TRACE method being enabled in SAP Business One Service Layer. This configuration allows attackers to exploit a Cross Site Tracing (XST) attack, particularly when frontend applications utilizing the Service Layer possess existing Cross Site Scripting (XSS) vulnerabilities. It is imperative for users of SAP Business One to apply the latest updates, as fixes were implemented in versions 9.2 and 9.3 to mitigate this security risk.

Affected Version(s)

SAP Business One Service Layer (B1_ON_HANA) = 9.2 = 9.2

SAP Business One Service Layer (B1_ON_HANA) = 9.3 = 9.3

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
http://www.securityfocus.com/bid/106173
vdb-entryx_refsource_BID
https://launchpad.support.sap.com/#/notes/2680492
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.