SAP PowerDesigner v16.7 XML Import External Entity URLs accessed leads DoS
CVE-2023-40310 Published on October 10, 2023
Missing XML Validation vulnerability in SAP PowerDesigner Client BPMN2 import
SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP PowerDesigner Client.
Vulnerability Analysis
CVE-2023-40310 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Missing XML Validation
The software accepts XML from an untrusted source but does not validate the XML against the proper schema. Most successful attacks begin with a violation of the programmer's assumptions. By accepting an XML document without validating it against a DTD or XML schema, the programmer leaves a door open for attackers to provide unexpected, unreasonable, or malicious input.
Products Associated with CVE-2023-40310
Want to know whenever a new CVE is published for SAP Powerdesigner? stack.watch will email you.
Affected Versions
SAP_SE SAP PowerDesigner Client Version 16.7 is affected by CVE-2023-40310Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.