Vulnerability Details CVE-2018-2502
TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://www.securityfocus.com/bid/106173
- https://launchpad.support.sap.com/#/notes/2680492
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
- http://www.securityfocus.com/bid/106173
- https://launchpad.support.sap.com/#/notes/2680492
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=508559699
Products affected by CVE-2018-2502
-
cpe:2.3:a:sap:business_one_on_hana:9.2
-
cpe:2.3:a:sap:business_one_on_hana:9.3