CVE-2022-28771
HIGHSAP Business One License service API <10.0 - Unauthenticated RCE
Title source: llmDescription
Due to missing authentication check, SAP Business one License service API - version 10.0 allows an unauthenticated attacker to send malicious http requests over the network. On successful exploitation, an attacker can break the whole application making it inaccessible.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3157613
Scores
CVSS v3
7.5
EPSS
0.0067
EPSS Percentile
71.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-306
Status
published
Products (1)
sap/business_one_license_service_api
10.0
Published
Jul 12, 2022
Tracked Since
Feb 18, 2026