Business One
CVE-2023-39437
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application.
AnalysisAI
SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. Affected products include: Sap Business One. Version information: version 10.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
More in Business One
View allSAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML
SAP Business One - version 10.0, allows an attacker to inject formulas when exporting data to Excel (CSV injection) due
SAP Business One client - version 10.0 allows an attacker with low privileges, to inject code that can be executed by th
The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that
SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script f
SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB sh
In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within
SAP Business One, version - 10.0, allows a local attacker with access to the victim's browser under certain circumstance
Under certain conditions, SAP Business One Hana Chef Cookbook, versions - 8.82, 9.0, 9.1, 9.2, 9.3, 10.0, used to instal
B1i module of SAP Business One - version 10.0, application allows an authenticated user with deep knowledge to send craf
Due to improper input sanitization of XML input in SAP Business One - version 10.0, an attacker can perform a denial-of-
Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today