SAP BOBJ PromoMgr Priv Escalation via lcmbiar Decrypt
CVE-2023-28765 Published on April 11, 2023
Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management )
An attacker with basic privileges in SAP BusinessObjects Business Intelligence Platform (Promotion Management) - versions 420, 430, can get access to lcmbiar file and further decrypt the file. After this attacker can gain access to BI users passwords and depending on the privileges of the BI user, the attacker can perform operations that can completely compromise the application.
Vulnerability Analysis
CVE-2023-28765 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-28765 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-28765
Want to know whenever a new CVE is published for SAP Businessobjects Business Intelligence? stack.watch will email you.
Affected Versions
SAP BusinessObjects Business Intelligence Platform (Promotion Management):- Version 420 is affected.
- Version 430 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.