CVE-2023-26461

SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3284550	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:netweaver_enterprise_portal:7.50:*:*:*:*:*:*:*

History

21 Mar 2023, 17:14

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.9
CPE		cpe:2.3:a:sap:netweaver_enterprise_portal:7.50:::::::*
References	~~(MISC) https://launchpad.support.sap.com/#/notes/3284550 -~~	(MISC) https://launchpad.support.sap.com/#/notes/3284550 - Permissions Required
References	~~(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory

14 Mar 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-14 05:15

Updated : 2024-02-04 23:14

NVD link : CVE-2023-26461

Mitre link : CVE-2023-26461

CVE.ORG link : CVE-2023-26461

JSON object : View

Products Affected

sap

netweaver_enterprise_portal

CWE

CWE-611

Improper Restriction of XML External Entity Reference

4.9 /10