Description
Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- SAP_SE / SAP Enable NowWPB_MANAGER_CE 10 – WPB_MANAGER_CE 10
- SAP_SE / SAP Enable NowWPB_MANAGER_HANA 10 – WPB_MANAGER_HANA 10
- SAP_SE / SAP Enable NowENABLE_NOW_CONSUMP_DEL 1704 – ENABLE_NOW_CONSUMP_DEL 1704