CVE-2022-28213

HIGH

SAP BusinessObjects Business Intelligence Platform 420, 430 - XML External Entity Injection via SOAP Web Services

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-28213. PoCs published by West Shepherd.

AI-analyzed exploit summary This exploit demonstrates an XML External Entity (XXE) injection vulnerability in SAP BusinessObjects Intelligence 4.3. It sends a malicious XML payload via a POST request to trigger the XXE, potentially leading to information disclosure or server-side request forgery (SSRF).

Description

When a user access SOAP Web services in SAP BusinessObjects Business Intelligence Platform - version 420, 430, it does not sufficiently validate the XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server and in successful exploits of DoS.

Exploits (1)

exploitdb WORKING POC

by West Shepherd · textremotemultiple

https://www.exploit-db.com/exploits/50900

View Code ZIP pw:eip

This exploit demonstrates an XML External Entity (XXE) injection vulnerability in SAP BusinessObjects Intelligence 4.3. It sends a malicious XML payload via a POST request to trigger the XXE, potentially leading to information disclosure or server-side request forgery (SSRF).

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SAP BusinessObjects Intelligence 4.2 and 4.3

No auth needed

Prerequisites: Network access to the target SAP BusinessObjects server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Permissions Required, Vendor Advisory x_refsource_misc

https://launchpad.support.sap.com/#/notes/3055044

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167046/SAP-BusinessObjects-Intelligence-4.3-XML-Injection.html

Scores

CVSS v3 8.1

EPSS 0.1213

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Details

CWE

CWE-112

Status published

Products (2)

sap/businessobjects_business_intelligence_platform 420

sap/businessobjects_business_intelligence_platform 430

Published Apr 12, 2022

Tracked Since Feb 18, 2026