CVE-2023-0016 — SQL Injection in SAP BPC MS 10.0

CWE-89 — SQL Injection4 documents4 sources

Severity

8.8HIGHNVD

CNA9.9

EPSS

0.5%

top 35.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP BPC MS 10.0 SAP Business Planning AND Consolidation

Timeline

PublishedJan 10

Latest updateJul 25

Description

SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to execute crafted database queries. The exploitation of this issue could lead to SQL injection vulnerability and could allow an attacker to access, modify, and/or delete data from the backend database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap/sap_bpc_ms_10.0800, 810+1

▶NVDsap/business_planning_and_consolidation800, 810+1

🔴Vulnerability Details

GHSA

GHSA-qv4h-7vx6-66cj: SAP BPC MS 10↗2023-01-10

▶

CVEList

SQL Injection vulnerability in SAP Business Planning and Consolidation MS↗2023-01-10

▶

📋Vendor Advisories

VMware

VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability (CVE-2023-20891)↗2023-07-25

▶