Server-Side Request Forgery in SAP Fiori Launchpad by SAP
CVE-2020-26815

8.6HIGH

Key Information:

Vendor: SAP
Status: SAP Fiori LauncHPad (news Tile Application)
Vendor: CVE Published:; 10 November 2020

What is CVE-2020-26815?

SAP Fiori Launchpad, specifically within its News tile Application, is susceptible to a Server-Side Request Forgery (SSRF). This vulnerability allows an unauthorized attacker to craft requests targeting internal systems, which are typically shielded behind firewalls, thereby gaining unauthorized access to sensitive or confidential resources. Such exploitation can compromise the security posture of the application, rendering restricted internal resources vulnerable to exposure.

Affected Version(s)

SAP Fiori Launchpad (News Tile Application) < 750 < 750

SAP Fiori Launchpad (News Tile Application) < 751 < 751

SAP Fiori Launchpad (News Tile Application) < 752 < 752

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2984627

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2020
Vulnerability Reserved
Oct 7, 2020