CVE-2023-28762 CRITICAL

CVE-2023-28762: Information Disclosure in SAP BusinessObjects Intelligence Platform

Vendor Sap_Se
Product SAP BusinessObjects Intelligence Platform
Weakness CWE-200 · Info exposure
Published May 9, 2023
Last update January 28, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an authenticated attacker with administrator privileges to get the login token of any logged-in BI user over the network without any user interaction. The attacker can impersonate any user on the platform resulting into accessing and modifying data. The attacker can also make the system partially or entirely unavailable.

Key dates

02Disclosure timeline

May 9, 2023 CVE published
January 28, 2025 Record updated