Vulnerability Details CVE-2023-49583
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 60.9%
CVSS Severity
CVSS v3 Score 9.1
References
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
- https://me.sap.com/notes/3411067
- https://me.sap.com/notes/3412456
- https://me.sap.com/notes/3413475
- https://www.npmjs.com/package/@sap/xssec
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
- https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/
- https://me.sap.com/notes/3411067
- https://me.sap.com/notes/3412456
- https://me.sap.com/notes/3413475
- https://www.npmjs.com/package/@sap/xssec
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Products affected by CVE-2023-49583
-
cpe:2.3:a:sap:@sap/xssec:1.0.2
-
cpe:2.3:a:sap:@sap/xssec:1.0.3
-
cpe:2.3:a:sap:@sap/xssec:1.1.0
-
cpe:2.3:a:sap:@sap/xssec:1.1.1
-
cpe:2.3:a:sap:@sap/xssec:1.3.0
-
cpe:2.3:a:sap:@sap/xssec:2.0.0
-
cpe:2.3:a:sap:@sap/xssec:2.1.0
-
cpe:2.3:a:sap:@sap/xssec:2.1.1
-
cpe:2.3:a:sap:@sap/xssec:2.1.10
-
cpe:2.3:a:sap:@sap/xssec:2.1.11
-
cpe:2.3:a:sap:@sap/xssec:2.1.12
-
cpe:2.3:a:sap:@sap/xssec:2.1.14
-
cpe:2.3:a:sap:@sap/xssec:2.1.15
-
cpe:2.3:a:sap:@sap/xssec:2.1.16
-
cpe:2.3:a:sap:@sap/xssec:2.1.17
-
cpe:2.3:a:sap:@sap/xssec:2.1.2
-
cpe:2.3:a:sap:@sap/xssec:2.1.3
-
cpe:2.3:a:sap:@sap/xssec:2.1.4
-
cpe:2.3:a:sap:@sap/xssec:2.1.5
-
cpe:2.3:a:sap:@sap/xssec:2.1.6
-
cpe:2.3:a:sap:@sap/xssec:2.1.7
-
cpe:2.3:a:sap:@sap/xssec:2.1.8
-
cpe:2.3:a:sap:@sap/xssec:2.1.9
-
cpe:2.3:a:sap:@sap/xssec:2.2.0
-
cpe:2.3:a:sap:@sap/xssec:2.2.1
-
cpe:2.3:a:sap:@sap/xssec:2.2.2
-
cpe:2.3:a:sap:@sap/xssec:2.2.3
-
cpe:2.3:a:sap:@sap/xssec:2.2.4
-
cpe:2.3:a:sap:@sap/xssec:2.2.5
-
cpe:2.3:a:sap:@sap/xssec:3.0.0
-
cpe:2.3:a:sap:@sap/xssec:3.0.1
-
cpe:2.3:a:sap:@sap/xssec:3.0.10
-
cpe:2.3:a:sap:@sap/xssec:3.0.2
-
cpe:2.3:a:sap:@sap/xssec:3.0.3
-
cpe:2.3:a:sap:@sap/xssec:3.0.5
-
cpe:2.3:a:sap:@sap/xssec:3.0.6
-
cpe:2.3:a:sap:@sap/xssec:3.0.7
-
cpe:2.3:a:sap:@sap/xssec:3.0.8
-
cpe:2.3:a:sap:@sap/xssec:3.0.9
-
cpe:2.3:a:sap:@sap/xssec:3.1.0
-
cpe:2.3:a:sap:@sap/xssec:3.1.1
-
cpe:2.3:a:sap:@sap/xssec:3.1.2
-
cpe:2.3:a:sap:@sap/xssec:3.2.0
-
cpe:2.3:a:sap:@sap/xssec:3.2.1
-
cpe:2.3:a:sap:@sap/xssec:3.2.10
-
cpe:2.3:a:sap:@sap/xssec:3.2.11
-
cpe:2.3:a:sap:@sap/xssec:3.2.12
-
cpe:2.3:a:sap:@sap/xssec:3.2.13
-
cpe:2.3:a:sap:@sap/xssec:3.2.14
-
cpe:2.3:a:sap:@sap/xssec:3.2.15
-
cpe:2.3:a:sap:@sap/xssec:3.2.17
-
cpe:2.3:a:sap:@sap/xssec:3.2.18
-
cpe:2.3:a:sap:@sap/xssec:3.2.2
-
cpe:2.3:a:sap:@sap/xssec:3.2.3
-
cpe:2.3:a:sap:@sap/xssec:3.2.4
-
cpe:2.3:a:sap:@sap/xssec:3.2.5
-
cpe:2.3:a:sap:@sap/xssec:3.2.7
-
cpe:2.3:a:sap:@sap/xssec:3.2.8
-
cpe:2.3:a:sap:@sap/xssec:3.2.9
-
cpe:2.3:a:sap:@sap/xssec:3.3.0
-
cpe:2.3:a:sap:@sap/xssec:3.3.1
-
cpe:2.3:a:sap:@sap/xssec:3.3.2
-
cpe:2.3:a:sap:@sap/xssec:3.3.3
-
cpe:2.3:a:sap:@sap/xssec:3.3.4
-
cpe:2.3:a:sap:@sap/xssec:3.3.5
-
cpe:2.3:a:sap:@sap/xssec:3.4.0
-
cpe:2.3:a:sap:@sap/xssec:3.5.0