SAP BusinessObjects Business Intelligence Platform (Web Services) - versions 420, 430, allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network which is otherwise not accessible externally. On successful exploitation, attacker can scan internal network to determine internal infrastructure for further attacks like remote file inclusion, retrieve server files, bypass firewall and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: sap
Published: 2023-03-14T05:03:25.121Z
Updated: 2024-08-02T12:23:29.758Z
Reserved: 2023-03-07T07:53:14.886Z
Link: CVE-2023-27894
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-03-14T06:15:12.443
Modified: 2024-11-21T07:53:39.020
Link: CVE-2023-27894
Redhat
No data.