CVE-2023-36920

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://launchpad.support.sap.com/#/notes/3326769	Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:enable_now_enable_now_consump_del:1704:::::::*
	cpe:2.3:a:sap:enable_now_wpb_manager:1.0:::::::*
	cpe:2.3:a:sap:enable_now_wpb_manager_ce:10:::::::*
	cpe:2.3:a:sap:enable_now_wpb_manager_hana:10:::::::*

History

08 Nov 2023, 00:16

Type	Values Removed	Values Added
First Time		Sap enable Now Wpb Manager Ce Sap enable Now Enable Now Consump Del Sap enable Now Wpb Manager Hana Sap enable Now Wpb Manager Sap
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:sap:enable_now_enable_now_consump_del:1704:::::::* cpe:2.3:a:sap:enable_now_wpb_manager_ce:10:::::::* cpe:2.3:a:sap:enable_now_wpb_manager:1.0:::::::* cpe:2.3:a:sap:enable_now_wpb_manager_hana:10:::::::*
References	~~(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html -~~	(MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory
References	~~(MISC) https://launchpad.support.sap.com/#/notes/3326769 -~~	(MISC) https://launchpad.support.sap.com/#/notes/3326769 - Permissions Required

30 Oct 2023, 17:20

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-30 17:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-36920

Mitre link : CVE-2023-36920

CVE.ORG link : CVE-2023-36920

JSON object : View

Products Affected

sap

enable_now_enable_now_consump_del
enable_now_wpb_manager_hana
enable_now_wpb_manager
enable_now_wpb_manager_ce

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

{"id": "CVE-2023-36920", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-10-30T17:15:52.260", "references": [{"url": "https://launchpad.support.sap.com/#/notes/3326769", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-1021"}]}, {"type": "Secondary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-1021"}]}], "descriptions": [{"lang": "en", "value": "In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.\n\n\n"}, {"lang": "es", "value": "En SAP Enable Now - versiones WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS el encabezado de respuesta no est\u00e1 implementado, lo que permite que un atacante no autenticado intente hacer click, lo que podr\u00eda resultar en la divulgaci\u00f3n o modificaci\u00f3n de informaci\u00f3n."}], "lastModified": "2023-11-08T00:16:23.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:enable_now_enable_now_consump_del:1704:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C52E900-DC61-4CAF-B44C-620BE1159809"}, {"criteria": "cpe:2.3:a:sap:enable_now_wpb_manager:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A615B74-6E92-4697-BB88-53F8CB644644"}, {"criteria": "cpe:2.3:a:sap:enable_now_wpb_manager_ce:10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDD4FB19-3590-4E47-A179-55C3DDC329B7"}, {"criteria": "cpe:2.3:a:sap:enable_now_wpb_manager_hana:10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "96C53603-D5E9-4F2C-8D15-3AC2EFF6BA66"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}