CVE-2018-2502

MEDIUM

SAP Business One Service Layer <9.2-9.3 - XSS

Title source: llm

Description

TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3).

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/106173

Permissions Required, Vendor Advisory x_refsource_misc

https://launchpad.support.sap.com/#/notes/2680492

Scores

CVSS v3 6.1

EPSS 0.0037

EPSS Percentile 58.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

sap/business_one_on_hana 9.2

sap/business_one_on_hana 9.3

Published Dec 11, 2018

Tracked Since Feb 18, 2026