CVE-2023-23851

Name of the Vulnerable Software and Affected Versions SAP Business Planning and Consolidation versions 200, 300

Description The issue allows an attacker with business authorization to upload any files, including web pages, without proper file format validation. If other users visit the uploaded malicious web page, the attacker may perform actions on behalf of the users without their consent, impacting the confidentiality and integrity of the system.

Recommendations For versions 200 and 300, consider restricting file upload capabilities to authorized users and implementing proper file format validation to prevent malicious file uploads. As a temporary workaround, consider disabling the file upload feature until a patch is available. Restrict access to uploaded files to minimize the risk of exploitation.