CVE-2023-35872— Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-35872
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing Authentication check in SAP NetWeaver Process Integration (Message Display Tool)
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Message Display Tool (MDT) of SAP NetWeaver Process Integration - version SAP_XIAF 7.50, does not perform authentication checks for certain functionalities that require user identity. An unauthenticated user might access technical data about the product status and its configuration. The vulnerability does not allow access to sensitive information or administrative functionalities. On successful exploitation an attacker can cause limited impact on confidentiality and availability of the application.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键功能的认证机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP NetWeaver Process Integration 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP NetWeaver Process Integration(PI)是德国思爱普(SAP)公司的一套SAP企业应用程序集成软件,是NetWeaver产品组的一个组件。该组件主要用于内部系统与外部的信息交换。 SAP NetWeaver Process Integration 存在访问控制错误漏洞,该漏洞源于不对需要用户身份的某些功能执行身份验证检查。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Process Integration (Message Display Tool) | SAP_XIAF 7.50 | - |
II. Public POCs for CVE-2023-35872
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-35872
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2023-07-11 · 18 CVEs total
| CVE-2023-36922 | 9.1 CRITICAL | OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL) |
| CVE-2023-33989 | 8.7 HIGH | Directory Traversal vulnerability in SAP NetWeaver (BI CONT ADD ON) |
| CVE-2023-33987 | 8.6 HIGH | Request smuggling and request concatenation in SAP Web Dispatcher |
| CVE-2023-33990 | 7.8 HIGH | Denial of Service (DoS) vulnerability in SAP SQL Anywhere |
| CVE-2023-35871 | 7.7 HIGH | Memory Corruption vulnerability in SAP Web Dispatcher |
| CVE-2023-36925 | 7.2 HIGH | Unauthenticated blind SSRF in SAP Solution Manager (Diagnostics agent) |
| CVE-2023-36921 | 7.2 HIGH | Header Injection in SAP Solution Manager (Diagnostic Agent) |
| CVE-2023-35873 | 6.5 MEDIUM | Missing Authentication check in SAP NetWeaver Process Integration (Runtime Workbench) |
| CVE-2023-35870 | 6.3 MEDIUM | Improper Access Control in SAP S/4HANA (Manage Journal Entry Template) |
| CVE-2023-36918 | 6.1 MEDIUM | Cross-Site Scripting vulnerability in SAP Enable Now |
| CVE-2023-33988 | 6.1 MEDIUM | Cross-Site Scripting vulnerability in SAP Enable Now |
| CVE-2023-35874 | 6.0 MEDIUM | Improper authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform |
| CVE-2023-36917 | 5.9 MEDIUM | Password Change rate limit bypass in SAP BusinessObjects Business Intelligence Platform |
| CVE-2023-31405 | 5.3 MEDIUM | Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) |
| CVE-2023-36919 | 5.3 MEDIUM | Information Disclosure in SAP Enable Now |
| CVE-2023-36924 | 4.9 MEDIUM | Log Injection vulnerability in SAP ERP Defense Forces and Public Security |
| CVE-2023-33992 | 4.5 MEDIUM | Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-306
- CVE-2021-47940
WordPress Download From Files 1.48 Arbitrary File Upload - CVE-2021-47936
OpenCATS 0.9.4 Remote Code Execution via Resume Upload - CVE-2021-47933
WordPress MStore API 2.0.6 Arbitrary File Upload - CVE-2026-8185
UGREEN CM933 Administrative missing authentication - CVE-2026-42302
FastGPT: Unauthenticated Remote Code Execution (RCE) via cod
V. Comments for CVE-2023-35872
No comments yet