Vulnerability Details : CVE-2018-2474
SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2018-2474
- cpe:2.3:a:sap:fiori:1.0:*:*:*:*:erp_hcm:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-2474
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 41 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-2474
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-2474
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-2474
-
http://www.securityfocus.com/bid/105534
SAP Fiori CVE-2018-2474 Cross Site Request Forgery VulnerabilityThird Party Advisory;VDB Entry
-
https://launchpad.support.sap.com/#/notes/2696889
SAP ONE Support Launchpad: Log OnPermissions Required
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=500633095
SAP Security Patch Day – October 2018 - Product Security Response at SAP - SCN WikiVendor Advisory
Jump to