Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2018-2393

Published: 14/02/2018 Updated: 01/03/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 540
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Sap

Vulnerability Summary

Under certain conditions SAP Internet Graphics Server (IGS) 7.20, 7.20EXT, 7.45, 7.49, 7.53, fails to validate XML External Entity appropriately causing the SAP Internet Graphics Server (IGS) to become unavailable.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

sap internet graphics server 7.20

sap internet graphics server 7.20ext

sap internet graphics server 7.45

sap internet graphics server 7.49

sap internet graphics server 7.53

Exploits

Exploit DB: SAP Internet Graphics Server (IGS) XMLCHART XXE
This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 720, 720EXT, 745, 749, or 753 These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request ...

Metasploit Modules

SAP Internet Graphics Server (IGS) XMLCHART XXE

This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 7.20, 7.20EXT, 7.45, 7.49, or 7.53. These vulnerabilities occur due to a lack of appropriate validation on the Extension HTML tag when submitting a POST request to the XMLCHART page to generate a new chart. Successful exploitation will allow unauthenticated remote attackers to read files from the server as the user from which the IGS service is started, which will typically be the SAP admin user. Alternatively attackers can also abuse the XXE vulnerability to conduct a denial of service attack against the vulnerable SAP IGS server.

msf > use auxiliary/admin/sap/sap_igs_xmlchart_xxe
msf auxiliary(sap_igs_xmlchart_xxe) > show actions
    ...actions...
msf auxiliary(sap_igs_xmlchart_xxe) > set ACTION < action-name >
msf auxiliary(sap_igs_xmlchart_xxe) > show options
    ...show and set options...
msf auxiliary(sap_igs_xmlchart_xxe) > run

Github Repositories

https://github.com/Vladimir-Ivanov-Git/sap_igs_xxe

SAP IGS XXE attack CVE-2018-2392 and CVE-2018-2393

SAP IGS XXE attack CVE-2018-2392 and CVE-2018-2393 This module in Metasploit Framework Documentation Module Vulnerable Application This module exploits CVE-2018-2392 and CVE-2018-2393, two XXE vulnerabilities within the XMLCHART page of SAP Internet Graphics Servers (IGS) running versions 720, 720EXT, 745, 749, or 753 These vulnerabilities occur due to a lack of appropria

References

CWE-611https://launchpad.support.sap.com/#/notes/2525222https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/https://nvd.nist.govhttps://github.com/Vladimir-Ivanov-Git/sap_igs_xxehttps://www.rapid7.com/db/modules/auxiliary/admin/sap/sap_igs_xmlchart_xxe/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322cross-site request forgeryunauthorizedCVE-2024-33925reflected XSSCVE-2023-51580CVE-2023-51579CVE-2015-2051CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook