CVE-2023-36920

CWE-1021 — Clickjacking3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.1%

top 70.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Enable NOW SAP Enable NOW Enable NOW Consump DEL SAP Enable NOW WPB Manager +2 more

Timeline

PublishedOct 30

Description

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶CVEListV5sap_se/sap_enable_nowENABLE_NOW_CONSUMP_DEL 1704, WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10+2

▶NVDsap/enable_now_wpb_manager1.0

▶NVDsap/enable_now_wpb_manager_ce10

▶NVDsap/enable_now_wpb_manager_hana10

▶NVDsap/enable_now_enable_now_consump_del1704

🔴Vulnerability Details

GHSA

GHSA-fg6q-x7qr-4pp3: In SAP Enable Now - versions WPB_MANAGER 1↗2023-10-30

▶

CVEList

Clickjacking vulnerability in SAP Enable Now↗2023-10-30

▶