CVE-2023-27894

CWE-200Information Exposure3 documents3 sources
Severity
5.3MEDIUM
EPSS
0.4%
top 40.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP Businessobjects Business Intelligence Platform (web Services)SAP Businessobjects Business Intelligence
Timeline
PublishedMar 14

Description

SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

🔴Vulnerability Details

2
CVEList
Sensitive Information Disclosure in the SAP BusinessObjects Business Intelligence platform2023-03-14
GHSA
GHSA-w7jv-qf6x-vrwr: SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters2023-03-14
CVE-2023-27894 (MEDIUM CVSS 5.3) | SAP BusinessObjects Business Intell | cvebase.io