CVEs-PoC/2018/CVE-2018-2364.md

### [CVE-2018-2364](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2364)
![](https://img.shields.io/static/v1?label=Product&message=S4FND&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=SAP%20CRM%20WebClient%20UI&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%201.02%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3D%207.01%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Cross-Site%20Scripting%20(XSS)&color=brighgreen)

### Description

SAP CRM WebClient UI 7.01, 7.31, 7.46, 7.47, 7.48, 8.00, 8.01, S4FND 1.02, does not sufficiently validate and/or encode hidden fields, resulting in Cross-Site Scripting (XSS) vulnerability.

### POC

#### Reference
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
- https://launchpad.support.sap.com/#/notes/2541700

#### Github
No PoCs found on GitHub currently.