Vulnerability Description
The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sap | Netweaver | <= 7.0 |
Related Weaknesses (CWE)
References
- http://securityreason.com/securityalert/3812
- http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.
- http://www.securityfocus.com/archive/1/490625/100/0/threaded
- http://www.securityfocus.com/bid/28699
- http://www.securitytracker.com/id?1019822
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41735
- http://securityreason.com/securityalert/3812
- http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.
- http://www.securityfocus.com/archive/1/490625/100/0/threaded
- http://www.securityfocus.com/bid/28699
- http://www.securitytracker.com/id?1019822
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41735
FAQ
What is CVE-2008-1846?
CVE-2008-1846 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to condu...
How severe is CVE-2008-1846?
CVE-2008-1846 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-1846?
Check the references section above for vendor advisories and patch information. Affected products include: Sap Netweaver.