Home

CVE-2020-26831

Description

SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).

Risk Information

Base Score
9.6
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
EPSS Score
Exploitation Probability
0.615

Associated Vulnerability

VulnerabilityOS Platform
Multiple Vulnerabilities are affected in SAP Business Objects Business Intelligence Platform 4.1Windows
Multiple Vulnerabilities are affected in SAP Business Objects Business Intelligence Platform 4.2Windows
Multiple Vulnerabilities are affected in SAP Business Objects Business Intelligence Platform 4.3Windows
Multiple Vulnerabilities are affected in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) 4.1Windows
Multiple Vulnerabilities are affected in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) 4.2Windows
Multiple Vulnerabilities are affected in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) 4.3Windows

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234