Vulnerabilities > CVE-2023-36917 - Improper Restriction of Excessive Authentication Attempts vulnerability in SAP Businessobjects Business Intelligence 420/430

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

sap

CWE-307

NVD

Published: 2023-07-11

Updated: 2023-07-18

Summary

SAP BusinessObjects Business Intelligence Platform - version 420, 430, allows an unauthorized attacker who had hijacked a user session, to be able to bypass the victim’s old password via brute force, due to unrestricted rate limit for password change functionality. Although the attack has no impact on integrity loss or system availability, this could lead to an attacker to completely takeover a victim’s account.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Businessobjects Business Intelligence 420 SAP Businessobjects Business Intelligence 430	2

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References