CVE-2023-27894

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Business Intelligence Platform (Web Services) versions 420, 430

Description The issue allows an attacker to inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, the attacker can scan the internal network to determine internal infrastructure for further attacks, such as remote file inclusion, retrieve server files, bypass firewall, and force the vulnerable server to execute malicious requests, resulting in sensitive information disclosure. This causes limited impact on confidentiality of data.

Recommendations For versions 420 and 430, consider restricting access to the CMS parameters to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the Web Services component until a fix is provided. Restrict access to the internal network to prevent further attacks like remote file inclusion and sensitive information disclosure.