CVE-2023-26461XML External Entity (XXE) Injection in SAP Netweaver

CWE-611XML External Entity (XXE) Injection3 documents3 sources
Severity
4.9MEDIUMNVD
CNA6.8
EPSS
0.3%
top 50.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP NetweaverSAP Netweaver Enterprise Portal
Timeline
PublishedMar 14

Description

SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5sap/netweaver7.50

🔴Vulnerability Details

2
CVEList
XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)2023-03-14
GHSA
GHSA-6cmx-5pqj-8h85: SAP NetWeaver allows (SAP Enterprise Portal) - version 72023-03-14
CVE-2023-26461 — XML External Entity (XXE) Injection | cvebase