CVE-2023-41369

LOW

SAP S/4HANA 100-108 - XML External Entity Injection via Payment Attachment

Title source: llm

Description

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

References (2)

Core 2

Core References

Permissions Required

https://me.sap.com/notes/3369680

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 3.5

EPSS 0.0011

EPSS Percentile 28.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (9)

sap/s\/4_hana 100

sap/s\/4_hana 101

sap/s\/4_hana 102

sap/s\/4_hana 103

sap/s\/4_hana 104

sap/s\/4_hana 105

sap/s\/4_hana 106

sap/s\/4_hana 107

sap/s\/4_hana 108

Published Sep 12, 2023

Tracked Since Feb 18, 2026