CVE-2023-41369XML External Entity (XXE) Injection in SE SAP S 4hana

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.1%
top 70.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP S 4hanaSAP S 4 Hana
Timeline
PublishedSep 12
Latest updateSep 14

Description

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDsap/s_4_hana9 versions+8
CVEListV5sap_se/sap_s_4hana9 versions+8

🔴Vulnerability Details

3
GHSA
GHSA-wwvh-435q-gw8h: The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file2023-09-14
CVEList
External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)2023-09-12
OSV
CVE-2023-41369: The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file2023-09-12
CVE-2023-41369 — XML External Entity (XXE) Injection | cvebase