CVE-2018-2478
HIGHSAP Basis 7.0-7.02, 7.10-7.11, 7.30, 7.31, 7.40, 7.50-7.53 - OS Command Injection via TREX/BWA Input
Title source: llmDescription
An attacker can use specially crafted inputs to execute commands on the host of a TREX / BWA installation, SAP Basis, versions: 7.0 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40 and 7.50 to 7.53. Not all commands are possible, only those that can be executed by the <sid>adm user. The commands executed depend upon the privileges of the <sid>adm user.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/105904
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2675696
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832
Scores
CVSS v3
7.2
EPSS
0.0030
EPSS Percentile
53.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
sap/basis
7.30
sap/basis
7.31
sap/basis
7.40
sap/basis
7.0 - 7.02
Published
Nov 13, 2018
Tracked Since
Feb 18, 2026