CVE-2008-1846

SAP NetWeaver <7.0 SP15 - XSS

Title source: llm

Description

The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.

References (6)

[Various Sources] http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.php

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/490625/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/28699

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/41735

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1019822

[Third Party Advisory] http://securityreason.com/securityalert/3812

Scores

EPSS 0.0052

EPSS Percentile 66.3%

Classification

CWE

CWE-79

Status draft

Affected Products (1)

sap/netweaver < 7.0

Timeline

Published Apr 16, 2008

Tracked Since Feb 18, 2026