CVE-2023-36920 MEDIUM

CVE-2023-36920: Clickjacking vulnerability in SAP Enable Now

Vendor Sap Se
Product SAP Enable Now
Weakness CWE-1021
Published October 30, 2023
Last update September 6, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.

Key dates

02Disclosure timeline

October 30, 2023 CVE published
September 6, 2024 Record updated