Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-28213Missing XML Validation in SE SAP Businessobjects Business Intelligence Platform

CWE-112Missing XML Validation4 documents4 sources
Severity
8.1HIGHNVD
EPSS
12.6%
top 6.02%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
SAP SE SAP Businessobjects Business Intelligence PlatformSAP Businessobjects Business Intelligence Platform
Timeline
PublishedApr 12
Latest updateMay 11

Description

When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-rv48-743j-57hj: When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the X2022-04-13
CVEList
CVE-2022-28213: When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the X2022-04-12

💥Exploits & PoCs

1
Exploit-DB
SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)2022-05-11
CVE-2022-28213 — Missing XML Validation | cvebase