CVE-2020-26828 — Unrestricted File Upload in SE SAP Disclosure Management

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

6.4MEDIUMNVD

EPSS

0.3%

top 45.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Disclosure Management SAP Disclosure Management

Timeline

PublishedDec 9

Latest updateMay 24

Description

SAP Disclosure Management, version - 10.1, provides capabilities for authorized users to upload and download content of specific file type. In some file types it is possible to enter formulas which can call external applications or execute scripts. The execution of a payload (script) on target machine could be used to steal and modify the data available in the spreadsheet

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_disclosure_management< 10.1

▶NVDsap/disclosure_management10.1

🔴Vulnerability Details

GHSA

GHSA-qpj4-2wrv-fg4g: SAP Disclosure Management, version - 10↗2022-05-24

▶

CVEList

CVE-2020-26828: SAP Disclosure Management, version - 10↗2020-12-09

▶