CVE-2020-26830 Information

Description

SAP Solution Manager 7.2 (User Experience Monitoring) version - 7.2 does not perform necessary authorization checks for an authenticated user. Due to inadequate access control a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration obtain details about the configured SAP Solution Manager agents Deploy a malicious User Experience Monitoring script.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Reference

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 https://launchpad.support.sap.com/#/notes/2983204 http://seclists.org/fulldisclosure/2021/Jun/29 http://packetstormsecurity.com/files/163161/SAP-Solution-Manager-7.2-Missing-Authorization.html

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1