Lucene search

SapCVELIST:CVE-2023-41365

HistoryOct 10, 2023 - 1:35 a.m.

CVE-2023-41365 Information Disclosure vulnerability in SAP Business One (B1i)

2023-10-1001:35:57

CWE-611

sap

www.cve.org

sap business one

information disclosure

xxe injection

cve-2023-41365

confidentiality

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "SAP Business One (B1i)",
    "vendor": "SAP_SE",
    "versions": [
      {
        "status": "affected",
        "version": "10.0"
      }
    ]
  }
]

References

me.sap.com/notes/3338380

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

Related for CVELIST:CVE-2023-41365