CVE-2020-26831

Summary

SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).

Affected Software

VendorProductVersion RangeStatus
SAP SESAP BusinessObjects BI Platform (Crystal Report)< 4.1affected
SAP SESAP BusinessObjects BI Platform (Crystal Report)< 4.2affected
SAP SESAP BusinessObjects BI Platform (Crystal Report)< 4.3affected

Weaknesses

  • Missing XML Validation

ADP Enrichment

CVE Program Container

Additional References

References