Vulnerability Details : CVE-2020-26828
SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet
Products affected by CVE-2020-26828
- cpe:2.3:a:sap:disclosure_management:10.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26828
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26828
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
SAP SE | |
6.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
3.1
|
2.7
|
NIST |
CWE ids for CVE-2020-26828
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26828
-
https://launchpad.support.sap.com/#/notes/2971180
Permissions Required
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Vendor Advisory
Jump to