Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-6256

CWE-611XML External Entity (XXE)4 documents4 sources
Severity
9.6CRITICAL
EPSS
10.1%
top 6.92%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
SAP Business ONE
Timeline
PublishedMay 26
Latest updateMay 14

Description

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages1 packages

NVDsap/business_one1.2.3

🔴Vulnerability Details

2
GHSA
GHSA-jqcq-m297-wggx: SAP Business One for Android 12022-05-14
CVEList
CVE-2016-6256: SAP Business One for Android 12017-05-25

💥Exploits & PoCs

1
Exploit-DB
SAP Business One for Android 1.2.3 - XML External Entity Injection2017-05-19
CVE-2016-6256 (CRITICAL CVSS 9.6) | SAP Business One for Android 1.2.3 | cvebase.io