CVE-2023-36917

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Business Intelligence Platform versions 420, 430

Description The issue allows an unauthorized attacker who has hijacked a user session to bypass the victim's old password via brute force due to an unrestricted rate limit for password change functionality. This could lead to an attacker completely taking over a victim's account. The attack has no impact on integrity loss or system availability.

Recommendations For versions 420 and 430, consider implementing rate limiting for password change functionality to prevent brute force attacks. As a temporary workaround, restrict access to the password change functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.