CVE-2018-2491

EPSS 0.8%

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Nov 2018Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps on the hyperlink in the viewer. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.

Affected products

SAP · SAP Fiori Client

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://launchpad.support.sap.com/#/notes/2691126 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=503809832