CVE-2023-36920

EPSS 0.11%
Published 30.10.2023 17:15:52
Last modified 21.11.2024 08:10:55
Source cna@sap.com
Teams watchlist Login
Open Login

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Enable Now Enable Now Consump Del Version1704

SAP ≫ Enable Now Wpb Manager Version1.0

SAP ≫ Enable Now Wpb Manager Ce Version10

SAP ≫ Enable Now Wpb Manager Hana Version10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.11%	0.304

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cna@sap.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-1021 Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3326769

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-36920

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-36920

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-36920

EUVD