CVE-2020-26831 Information

Jun 07, 2022 cve

Description

SAP BusinessObjects BI Platform (Crystal Report) versions - 4.1 4.2 4.3 does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure internal directories disclosure Server-Side Request Forgery (SSRF) and denial-of-service (DoS).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Reference

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 https://launchpad.support.sap.com/#/notes/2989075

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

HIGH

Base Severity

9.6

Share on: