CVE-2018-2502: XSS
First published: Tue Dec 11 2018(Updated: )
TRACE method is enabled in SAP Business One Service Layer . Attacker can use XST (Cross Site Tracing) attack if frontend applications that are using Service Layer has a XSS vulnerability. This has been fixed in SAP Business One Service Layer (B1_ON_HANA, versions 9.2, 9.3).
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Business One License Service API | =9.2 | |
| SAP Business One License Service API | =9.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-2502?
CVE-2018-2502 has a high severity due to its potential for facilitating Cross Site Tracing attacks.
How do I fix CVE-2018-2502?
To fix CVE-2018-2502, disable the TRACE method in the SAP Business One Service Layer or upgrade to versions 9.2 or 9.3 where the vulnerability is patched.
What is affected by CVE-2018-2502?
CVE-2018-2502 affects the SAP Business One Service Layer version 9.2 and 9.3.
Can CVE-2018-2502 lead to data breaches?
Yes, CVE-2018-2502 can lead to data breaches if an attacker exploits the XST vulnerability in conjunction with XSS vulnerabilities.
What should I monitor for regarding CVE-2018-2502?
Monitor for abnormal access patterns that may indicate attempts to exploit Cross Site Tracing vulnerabilities.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap business one license service api
- version/sap business one license service api/9.2
- version/sap business one license service api/9.3