Vulnerability Details : CVE-2023-28765
An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI user’s passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2023-28765
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 38 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2023-28765
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
[email protected] |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
[email protected] |
CWE ids for CVE-2023-28765
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: [email protected] (Secondary)
References for CVE-2023-28765
-
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Vendor Advisory
-
https://launchpad.support.sap.com/#/notes/3298961
Permissions Required
Products affected by CVE-2023-28765
- cpe:2.3:a:sap:businessobjects_business_intelligence:420:*:*:*:*:*:*:*
- cpe:2.3:a:sap:businessobjects_business_intelligence:430:*:*:*:*:*:*:*