The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.
References
Configurations
History
21 Nov 2024, 00:45
| Type | Values Removed | Values Added |
|---|---|---|
| References | () http://securityreason.com/securityalert/3812 - | |
| References | () http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.php - | |
| References | () http://www.securityfocus.com/archive/1/490625/100/0/threaded - | |
| References | () http://www.securityfocus.com/bid/28699 - | |
| References | () http://www.securitytracker.com/id?1019822 - | |
| References | () https://exchange.xforce.ibmcloud.com/vulnerabilities/41735 - |
Information
Published : 2008-04-16 17:05
Updated : 2025-04-09 00:30
NVD link : CVE-2008-1846
Mitre link : CVE-2008-1846
CVE.ORG link : CVE-2008-1846
JSON object : View
Products Affected
sap
- netweaver
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')