{"id":"PYSEC-2023-261","details":"SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions \u003c 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.","aliases":["CVE-2023-50423","GHSA-6mjg-37cp-42x5"],"modified":"2024-09-30T19:12:13.772998Z","published":"2023-12-12T02:15:00Z","references":[{"type":"WEB","url":"https://me.sap.com/notes/3411067"},{"type":"ADVISORY","url":"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"},{"type":"PACKAGE","url":"https://pypi.org/project/sap-xssec/"},{"type":"ADVISORY","url":"https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"},{"type":"ADVISORY","url":"https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"},{"type":"WEB","url":"https://github.com/SAP/cloud-pysec/"}],"affected":[{"package":{"name":"sap-xssec","ecosystem":"PyPI","purl":"pkg:pypi/sap-xssec"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.0"}]}],"versions":["1.1.8","2.0.1","2.0.10","2.0.11","2.0.12","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","3.0.0","3.1.0","3.2.0","3.3.0","4.0.0","4.0.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/sap-xssec/PYSEC-2023-261.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}