CVE-2023-40621 MEDIUM

CVE-2023-40621: Code Injection vulnerability in SAP PowerDesigner Client

Vendor Sap_Se
Product SAP PowerDesigner Client
Weakness CWE-94 · Code injection
Published September 12, 2023
Last update September 25, 2024

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user. The application has a security option to disable or prompt users before untrusted scripts are executed, but this is not set as default.

Key dates

02Disclosure timeline

September 12, 2023 CVE published
September 25, 2024 Record updated