CVE-2023-42479

2023-12-1201:15:10

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-42479

unauthenticated attacker

biller direct

cross-site scripting

information disclosure

modification

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.7%

JSON

An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.

Affected configurations

NVD

Node

sapbiller_directMatch635

sapbiller_directMatch750

CPENameOperatorVersion
sap:biller_directsap biller directeq635
sap:biller_directsap biller directeq750

CPE	Name	Operator	Version
sap:biller_direct	sap biller direct	eq	635
sap:biller_direct	sap biller direct	eq	750

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Biller Direct",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "635"
      },
      {
        "status": "affected",
        "version": "750"
      }
    ]
  }
]