SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.
References
Link | Resource |
---|---|
https://me.sap.com/notes/3320702 | Permissions Required |
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Jul 2023, 17:01
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:sap:businessobjects_business_intelligence:430:*:*:*:*:*:*:* cpe:2.3:a:sap:businessobjects_business_intelligence:420:*:*:*:*:*:*:* |
|
References | (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory | |
References | (MISC) https://me.sap.com/notes/3320702 - Permissions Required | |
First Time |
Sap
Sap businessobjects Business Intelligence |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
11 Jul 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-11 03:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-36917
Mitre link : CVE-2023-36917
CVE.ORG link : CVE-2023-36917
JSON object : View
Products Affected
sap
- businessobjects_business_intelligence
CWE
CWE-307
Improper Restriction of Excessive Authentication Attempts