// For flags

CVE-2023-40310

Missing XML Validation vulnerability in SAP PowerDesigner Client BPMN2 import

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

SAP PowerDesigner Client - version 16.7, does not sufficiently validate BPMN2 XML document imported from an untrusted source. As a result, URLs of external entities in BPMN2 file, although not used, would be accessed during import. A successful attack could impact availability of SAP PowerDesigner Client.

SAP PowerDesigner Client: versión 16.7, no valida suficientemente el documento XML BPMN2 importado de una fuente que no es de confianza. Como resultado, se accedería a las URL de entidades externas en el archivo BPMN2, aunque no se utilizaran, durante la importación. Un ataque exitoso podría afectar la disponibilidad de SAP PowerDesigner Client.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-08-14 CVE Reserved
  • 2023-10-10 CVE Published
  • 2024-09-18 CVE Updated
  • 2024-10-16 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-112: Missing XML Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sap
Search vendor "Sap"
Powerdesigner
Search vendor "Sap" for product "Powerdesigner"
16.7
Search vendor "Sap" for product "Powerdesigner" and version "16.7"
-
Affected