漏洞标题
SAP Business One (Service Layer)身份认证缺陷
漏洞描述信息
SAP Business One中的服务层允许攻击者潜在地获得未经授权的访问权限,并在应用程序中冒充其他用户执行未经授权的操作。由于会话管理不当,攻击者可以提升自身权限,并读取、修改和/或写入新数据。攻击者要想获得其他用户的认证会话,必须投入相当的时间和精力。此漏洞对应用程序的保密性和完整性有高影响,但对应用程序的可用性没有影响。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
漏洞类别
会话固定
漏洞标题
Broken Authentication in SAP Business One (Service Layer)
漏洞描述信息
The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application.
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
漏洞类别
会话固定