CVE-2023-26461 MEDIUM

CVE-2023-26461: XML External Entity (XXE) vulnerability in SAP NetWeaver (SAP Enterprise Portal)

Vendor Sap
Product NetWeaver (SAP Enterprise Portal)
Weakness CWE-611 · XXE
Published March 14, 2023
Last update February 27, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

SAP NetWeaver allows (SAP Enterprise Portal) - version 7.50, allows an authenticated attacker with sufficient privileges to access the XML parser which can submit a crafted XML file which when parsed will enable them to access but not modify sensitive files and data. It allows the attacker to view sensitive data which is owned by certain privileges.

Key dates

02Disclosure timeline

March 14, 2023 CVE published
February 27, 2025 Record updated