CVE Vulnerability

CVE-2020-26828

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 Vendor Advisory
https://launchpad.support.sap.com/#/notes/2971180 Permissions Required
Configurations

Configuration 1

cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*
Information

Published : 2020-12-09 05:15

Updated : 2020-12-11 02:24

NVD link : CVE-2020-26828

Mitre link : CVE-2020-26828

Products Affected
No products.
CWE
CWE-434