Code Injection Vulnerability in SAP Business Objects Business Intelligence Platform
CVE-2020-6208

7.5HIGH

Key Information:

Vendor
SAP
Status
SAP Business Objects Business Intelligence Platform (crystal Reports)
Vendor
CVE Published:
10 March 2020

Summary

The SAP Business Objects Business Intelligence Platform, particularly in its Crystal Reports component, is susceptible to a code injection vulnerability. An attacker with basic authorization can leverage this flaw to inject malicious code that the application executes. While the attack vector is classified as local, the implications can affect multiple applications within the environment, potentially allowing an attacker to manipulate the application's behavior and execute arbitrary code.

Affected Version(s)

SAP Business Objects Business Intelligence Platform (Crystal Reports) < 4.1 < 4.1

SAP Business Objects Business Intelligence Platform (Crystal Reports) < 4.2 < 4.2

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/2861301
x_refsource_MISC
https://www.zerodayinitiative.com/advisories/ZDI-20-291/
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.