Vulnerability CVE-2020-26828


Published: 2020-12-09

Description:
SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.5/10
4.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
None
Affected software
SAP -> Disclosure management 

 References:
https://launchpad.support.sap.com/#/notes/2971180
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Copyright 2024, cxsecurity.com

 

Back to Top