CVE-2016-9563
CVE-2016-9563
In short
A vulnerability in SAP NetWeaver allows authenticated users to exploit XML External Entity (XXE) attacks through a specific web interface. This could let attackers read sensitive files or cause system disruption by manipulating how the application processes XML data.
Technical detail
The BC-BMT-BPM-DSK component in SAP NetWeaver AS JAVA 7.5 fails to properly validate XML input at the bpemuwlconn URI endpoint, enabling XXE injection attacks. An authenticated attacker can exploit this to access arbitrary files on the server or perform server-side request forgery (SSRF) operations.
Summary generated and translated by AI from the official description.
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →