Access Control Flaw in SAP Solution Manager 7.2 User Experience Monitoring
CVE-2020-26830

7.6HIGH

Key Information:

Vendor

SAP
Status
SAP Solution Manager (user Experience Monitoring)
Vendor
CVE Published:
9 December 2020

What is CVE-2020-26830?

SAP Solution Manager 7.2, specifically within its User Experience Monitoring component, lacks proper authorization checks for authenticated users. This vulnerability allows an attacker, already authenticated as a regular user, to perform actions that should be restricted to administrators. As a result, sensitive configurations related to User Experience Monitoring can be changed, and information about the existing SAP Solution Manager agents can be accessed. Furthermore, it allows the deployment of potentially malicious scripts which could compromise the integrity of the entire system.

Affected Version(s)

SAP Solution Manager (User Experience Monitoring) < 7.20

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2983204
x_refsource_MISC
http://seclists.org/fulldisclosure/2021/Jun/29
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-26830 : Access Control Flaw in SAP Solution Manager 7.2 User Experience Monitoring