CVE-2018-2365

Vulnerability

SAP NetWeaver Portal, WebDynpro Java versions 7.30, 7.31, 7.40, and 7.50 do not sufficiently encode user controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability [1]. This allows an attacker to inject arbitrary script into web pages generated by the application.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input that is not properly encoded and is later rendered in a user's browser. No special network position or authentication is required beyond the ability to submit data to vulnerable WebDynpro components. The attack typically involves social engineering to trick a user into interacting with the crafted link or content.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, impersonation of the victim, defacement of the portal, or disclosure of sensitive information displayed on the page.

Mitigation

SAP released a security note as part of the February 2018 Patch Day to address this vulnerability [1]. Customers are strongly advised to apply the patch from the SAP Support Portal. No workarounds are documented; patching is the recommended action.