CSRF in Sap Fiori

CVE-2018-2474

SAP Fiori 1.0 for SAP ERP HCM (Approve Leave Request, version 2) application allows an attacker to trick an authenticated user to send unintended request to the web server. This vulnerability is due to insufficient CSRF protection.

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.007 (47.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.

Affected products

Weakness classification (CWE)

References

  • cna@sap.com (x_refsource_CONFIRM, Vendor Advisory)
  • cna@sap.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)
  • cna@sap.com (Permissions Required, x_refsource_MISC)

Frequently asked questions

What is CVE-2018-2474?
CVE-2018-2474 is a medium-severity vulnerability in Sap Fiori, classified under Cross-Site Request Forgery (CSRF). CVSS score: 6.5/10. Published 2018-10-09.
How severe is CVE-2018-2474?
Medium severity. CVSS v3 base score is 6.5 out of 10.