CVE-2020-26831

Published: Dec 9, 2020Modified: Nov 21, 2024

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Exploitability: 3.1 / Impact: 5.8

Source: NVD

Description

SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).

Affected (3)

Products: Sap: Businessobjects Business Intelligence Platform

Sap

1 product

Businessobjects Business Intelligence Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Sap Businessobjects Business Intelligence Platform	Version 4.1
Sap Businessobjects Business Intelligence Platform	Version 4.2
Sap Businessobjects Business Intelligence Platform	Version 4.3

References (4)

https://launchpad.support.sap.com/#/notes/2989075

Source: cna@sap.com

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/2989075

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.