Vulnerability Details : CVE-2023-28762
SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction. The attacker can impersonate any user on the platform resulting into accessing and modifying data. The attacker can also make the system partially or entirely unavailable.
Vulnerability category: Information leak
Products affected by CVE-2023-28762
- cpe:2.3:a:sap:businessobjects_business_intelligence:420:*:*:*:*:*:*:*
- cpe:2.3:a:sap:businessobjects_business_intelligence:430:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-28762
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28762
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
2.3
|
6.0
|
SAP SE | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2023-28762
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: cna@sap.com (Secondary)
References for CVE-2023-28762
-
https://launchpad.support.sap.com/#/notes/3307833
SAP ONE Support Launchpad: Log OnPermissions Required
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
SAP Patch Day BlogVendor Advisory
Jump to