Vulnerabilities > CVE-2016-6256 - XXE vulnerability in SAP Business ONE 1.2.3

CVSS 9.6 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sap

CWE-611

critical

exploit available

NVD

Published: 2017-05-26

Updated: 2019-07-08

Summary

SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.vplatform.runtime/INB_WS_CALL_SYNC_XPT/INB_WS_CALL_SYNC_XPT.ipo/proc, aka SAP Security Note 2378065.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Business ONE 1.2.3	1

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Exploit-Db

description	SAP Business One for Android 1.2.3 - XML External Entity Injection. CVE-2016-6256. Webapps exploit for XML platform. Tags: XML External Entity (XXE)
file	exploits/xml/webapps/42036.txt
id	EDB-ID:42036
last seen	2017-05-19
modified	2017-05-19
platform	xml
port
published	2017-05-19
reporter	Exploit-DB
source	https://www.exploit-db.com/download/42036/
title	SAP Business One for Android 1.2.3 - XML External Entity Injection
type	webapps

Packetstorm

data source	https://packetstormsecurity.com/files/download/142597/sapbusinessone-xxe.txt
id	PACKETSTORM:142597
last seen	2017-05-20
published	2017-05-20
reporter	Ravindra Singh Rathore
source	https://packetstormsecurity.com/files/142597/SAP-Business-One-For-Android-1.2.3-XML-Injection.html
title	SAP Business One For Android 1.2.3 XML Injection

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References