CVE-2018-2364

MEDIUM

SAP CRM WebClient UI 7.01-8.01 and S4FND 1.02 - Cross-Site Scripting via Hidden Fields

Title source: llm

Description

SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.

References (3)

Core 3

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103002

Permissions Required x_refsource_confirm

https://launchpad.support.sap.com/#/notes/2541700

Vendor Advisory x_refsource_confirm

https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/

Scores

CVSS v3 6.1

EPSS 0.0031

EPSS Percentile 54.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (8)

sap/customer_relationship_management_webclient_ui 7.01

sap/customer_relationship_management_webclient_ui 7.31

sap/customer_relationship_management_webclient_ui 7.46

sap/customer_relationship_management_webclient_ui 7.47

sap/customer_relationship_management_webclient_ui 7.48

sap/customer_relationship_management_webclient_ui 8.00

sap/customer_relationship_management_webclient_ui 8.01

sap/s4fnd 1.02

Published Feb 14, 2018

Tracked Since Feb 18, 2026