CVE-2023-41365: 
SAP Business One vulnerability analysis and mitigation

SAP Business One (B1i) version 10.0 contains an information disclosure vulnerability (CVE-2023-41365) that was disclosed in October 2023. The vulnerability allows an authorized attacker to retrieve detailed stack trace information from fault messages, which can be used to conduct XXE (XML External Entity) injection attacks (NVD, Cyber Security News).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The weakness has been classified as CWE-611 (Improper Restriction of XML External Entity Reference). The vulnerability specifically affects SAP Business One (B1i) version 10.0 and requires authentication for exploitation (NVD).

Upon successful exploitation, an attacker can cause limited impact on the confidentiality of the system through information disclosure via stack trace details. The vulnerability has no impact on system integrity or availability (NVD, Cyber Security News).

SAP has released patches to address this vulnerability. Users are recommended to upgrade to the latest version of the affected software. The fix was included in the October 2023 patch release (CERT-FR, Cyber Security News).