{"vulnerability": "CVE-2023-3748", "sightings": [{"uuid": "5feca91e-23c7-4150-b521-0b2fc856b959", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37481", "type": "seen", "source": "https://t.me/cibsecurity/66947", "content": "\u203c CVE-2023-37481 \u203c\n\nFides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit this vulnerability to upload zip files containing malicious SVG bombs (similar to a billion laughs attack), causing resource exhaustion in Admin UI browser tabs and creating a persistent denial of service of the 'new connector' page (`datastore-connection/new`). This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-07-18T22:31:24.000000Z"}, {"uuid": "9ea7383f-0553-41d7-9301-58d095088bf7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37482", "type": "seen", "source": "https://infosec.exchange/users/cve/statuses/113984783209414361", "content": "", "creation_timestamp": "2025-02-11T10:29:24.184341Z"}, {"uuid": "ff7f4407-b1ca-45cc-ba0a-10fee6e34e02", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37482", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lhvjsp3oef2h", "content": "", "creation_timestamp": "2025-02-11T11:15:30.999847Z"}, {"uuid": "92482031-0082-4a74-b8a6-c1caab6dc72f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37482", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/10891", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-37482\n\ud83d\udd25 CVSS Score: 5.3 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: The login functionality of the web server in affected devices does not normalize the response times of login attempts. An unauthenticated remote attacker could exploit this side-channel information to distinguish between valid and invalid usernames.\n\ud83d\udccf Published: 2025-02-11T10:26:27.720Z\n\ud83d\udccf Modified: 2025-04-08T08:19:41.567Z\n\ud83d\udd17 References:\n1. https://cert-portal.siemens.com/productcert/html/ssa-195895.html", "creation_timestamp": "2025-04-08T08:46:59.000000Z"}, {"uuid": "d716fe79-95fa-4d39-819c-45a8195936ea", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37482", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-02", "content": "", "creation_timestamp": "2025-02-13T11:00:00.000000Z"}, {"uuid": "3fb2e589-9291-42ef-94a8-3e94cafc4b1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37480", "type": "seen", "source": "https://t.me/cibsecurity/66938", "content": "\u203c CVE-2023-37480 \u203c\n\nFides is an open-source privacy engineering platform for managing data privacy requests and privacy regulations. The Fides webserver is vulnerable to a type of Denial of Service (DoS) attack. Attackers can exploit a weakness in the connector template upload feature to upload a malicious zip bomb file, resulting in resource exhaustion and service unavailability for all users of the Fides webserver. This vulnerability affects Fides versions `2.11.0` through `2.15.1`. Exploitation is limited to users with elevated privileges with the `CONNECTOR_TEMPLATE_REGISTER` scope, which includes root users and users with the owner role. The vulnerability has been patched in Fides version `2.16.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There is no known workaround to remediate this vulnerability without upgrading. If an attack occurs, the impact can be mitigated by manually or automatically restarting the affected container.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-07-18T22:31:12.000000Z"}, {"uuid": "6a6d53c1-8a30-4914-a794-1b46d26cd325", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37483", "type": "seen", "source": "https://t.me/cibsecurity/67940", "content": "\u203c CVE-2023-37483 \u203c\n\nSAP PowerDesigner - version 16.7, has improper access control which might allow an unauthenticated attacker to run arbitrary queries against the back-end database via Proxy.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T07:13:55.000000Z"}, {"uuid": "0b5fc88d-3db2-4548-904c-f0031732fd2a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37486", "type": "seen", "source": "https://t.me/cibsecurity/67939", "content": "\u203c CVE-2023-37486 \u203c\n\nUnder certain conditions\u00c2\u00a0SAP Commerce\u00c2\u00a0(OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact on integrity and availability of the application.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T07:13:54.000000Z"}, {"uuid": "4f65abe5-5980-42ca-a8c5-50d2b5a8bcdd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37487", "type": "seen", "source": "https://t.me/cibsecurity/67937", "content": "\u203c CVE-2023-37487 \u203c\n\nSAP Business One (Service Layer) - version 10.0, allows an authenticated attacker with deep knowledge perform certain operation to access unintended data over the network which could lead to high impact on confidentiality with no impact on integrity and availability of the application\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T07:13:51.000000Z"}, {"uuid": "b4ba12fb-d5ab-4670-a073-d3b562a146f1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37484", "type": "seen", "source": "https://t.me/cibsecurity/67945", "content": "\u203c CVE-2023-37484 \u203c\n\nSAP PowerDesigner - version 16.7, queries all password hashes in the backend database and compares it with the user provided one during login attempt, which might allow an attacker to access password hashes from the client's memory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T07:14:03.000000Z"}, {"uuid": "08a0dc1e-b6ff-49f5-b17a-bda76bdb7041", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-37488", "type": "seen", "source": "https://t.me/cibsecurity/67944", "content": "\u203c CVE-2023-37488 \u203c\n\nIn SAP NetWeaver\u00c2\u00a0Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause\u00c2\u00a0limited impact on confidentiality and integrity of the system.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-08-08T07:14:02.000000Z"}]}