Detections
Analytics

CVE-2008-1846

medium

Description

The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/41735

http://www.securitytracker.com/id?1019822

http://www.securityfocus.com/bid/28699

http://www.securityfocus.com/archive/1/490625/100/0/threaded

http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.php

http://securityreason.com/securityalert/3812

Details

Source: Mitre, NVD

Published: 2008-04-16

Updated: 2026-04-23

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00516