CVE-2023-42472

Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)

CVSS 8.7 HIGHEPSS 0.5%CWE-434

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

12 sep 2023Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Due to insufficient file type validation, SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) - version 420, allows a report creator to upload files from local system into the report over the network. When uploading the image file, an authenticated attacker could intercept the request, modify the content type and the extension to read and modify sensitive data causing a high impact on confidentiality and integrity of the application.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Productos afectados

SAP_SE · SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://me.sap.com/notes/3370490 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html