CVE-2023-36918

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
6.1MEDIUM
EPSS
0.5%
top 33.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Enable NOW
Timeline
PublishedJul 11

Description

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-Content-Type-Options response header is not implemented, allowing an unauthenticated attacker to trigger MIME type sniffing, which leads to Cross-Site Scripting, which could result in disclosure or modification of information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

CVEListV5sap_se/sap_enable_now4 versions+3

🔴Vulnerability Details

2
CVEList
Cross-Site Scripting vulnerability in SAP Enable Now2023-07-11
GHSA
GHSA-5cgp-98vf-r77v: In SAP Enable Now - versions WPB_MANAGER 12023-07-11
CVE-2023-36918 (MEDIUM CVSS 6.1) | In SAP Enable Now - versions WPB_MA | cvebase.io