SAP S/4HANA Create Single Payment XML Upload DoS via Entity Loop
CVE-2023-41369 Published on September 12, 2023
External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
Vulnerability Analysis
CVE-2023-41369 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is a XXE Vulnerability?
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CVE-2023-41369 has been classified to as a XXE vulnerability or weakness.
Products Associated with CVE-2023-41369
stack.watch emails you whenever new vulnerabilities are published in SAP S4 Hana or SAP S4hana. Just hit a watch button to start following.
Affected Versions
SAP_SE SAP S/4HANA (Create Single Payment application):- Version 100 is affected.
- Version 101 is affected.
- Version 102 is affected.
- Version 103 is affected.
- Version 104 is affected.
- Version 105 is affected.
- Version 106 is affected.
- Version 107 is affected.
- Version 108 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.