SAP Business One Service Layer Improper Session Management Vulnerability Allowing User Impersonation and Privilege Escalation

A vulnerability in the Service Layer of SAP Business One could allow attackers to gain unauthorized access, impersonate other users, and perform unauthorized actions within the application. This issue arises from improper session management, enabling attackers to escalate privileges and access, read, modify, or create data. Although exploiting this vulnerability requires significant time and effort to obtain authenticated sessions of other users, it poses a high risk to the application's confidentiality and integrity, with no impact on availability.

Impact

Successful exploitation could lead to unauthorized access and actions within the application, allowing attackers to impersonate other users, escalate privileges, and manipulate data.

Remediation

Users are advised to review and implement the SAP Security Note related to this vulnerability, available through the SAP Security Patch Day Bulletin. For guidance on accessing and applying SAP Security Notes, refer to the SAP Security Notes FAQs.