CVE-2020-6260XML Injection (aka Blind XPath Injection) in SE SAP Solution Manager

CWE-91XML Injection (aka Blind XPath Injection)3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 59.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Solution ManagerSAP Solution Manager
Timeline
PublishedJun 10
Latest updateMay 24

Description

SAP Solution Manager (Trace Analysis), version 7.20, allows an attacker to inject superflous data that can be displayed by the application, due to Incomplete XML Validation. The application shows additional data that do not actually exist.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5sap_se/sap_solution_manager< 7.20

🔴Vulnerability Details

2
GHSA
GHSA-v3fw-mj9c-qq7m: SAP Solution Manager (Trace Analysis), version 72022-05-24
CVEList
CVE-2020-6260: SAP Solution Manager (Trace Analysis), version 72020-06-10
CVE-2020-6260 — SE SAP Solution Manager vulnerability | cvebase