SB2023041721 - Multiple vulnerabilities in SAP Application Interface Framework (AIF)

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023041721

SB2023041721 - Multiple vulnerabilities in SAP Application Interface Framework (AIF)

Published: April 17, 2023

Security Bulletin ID SB2023041721
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2023-29111)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the ODATA service. A remote user can gain unauthorized access to sensitive information on the system.


2) Cross-site scripting (CVE-ID: CVE-2023-29112)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Message Monitoring and Message Monitoring for Administrators Application. A remote user can inject and execute arbitrary HTML code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Cross-site scripting (CVE-ID: CVE-2023-29110)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in Custom Hint of Message Dashboard. A remote user can inject and execute arbitrary HTML code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Improper neutralization of formula elements in a CSV File (CVE-ID: CVE-2023-29109)

The vulnerability allows a remote user to manipulate contents of csv files.

The vulnerability exists due to improper validation of user supplied input when processing contents of the Tooltip of the Custom Hints List field in Message Dashboard. A remote user can inject arbitrary Excel formulas into csv files and execute arbitrary code in the Excel document when the csv file is viewed.


Remediation

Install update from vendor's website.

References