CVE-2025-26658Session Fixation in SE SAP Business ONE

CWE-384Session Fixation3 documents3 sources
Severity
6.8MEDIUMNVD
EPSS
0.1%
top 75.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Business ONE
Timeline
PublishedMar 11

Description

The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages1 packages

CVEListV5sap_se/sap_business_oneB1_ON_HANA 10.0, SAP-M-BO 10.0+1

🔴Vulnerability Details

2
GHSA
GHSA-3fjr-h35g-vfc9: The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perf2025-03-11
CVEList
Broken Authentication in SAP Business One (Service Layer)2025-03-11
CVE-2025-26658 — Session Fixation | cvebase