CVE-2022-28213

HIGH

SAP Businessobjects Business Intelligence Platform - Denial of Service

Title source: rule

Description

When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS.

Exploits (1)

exploitdb WORKING POC

by West Shepherd · textremotemultiple

https://www.exploit-db.com/exploits/50900

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167046/SAP-BusinessObjects-Intelligence-4.3-XML-Injection.html

[Permissions Required, Vendor Advisory] https://launchpad.support.sap.com/#/notes/3055044

[Vendor Advisory] https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 8.1

EPSS 0.1262

EPSS Percentile 94.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-112

Status published

Products (2)

sap/businessobjects_business_intelligence_platform 420

sap/businessobjects_business_intelligence_platform 430

Published Apr 12, 2022

Tracked Since Feb 18, 2026