CVE-2020-6288 — Unrestricted File Upload in SE SAP Business Objects Business Intelligence Platform

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 55.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Business Objects Business Intelligence Platform SAP Businessobjects Business Intelligence Platform

Timeline

PublishedSep 9

Latest updateMay 24

Description

SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) allows an attacker with edit document rights to upload any file (including script files) without proper file format validation leading to Unrestricted upload of file with dangerous type vulnerability. The attacker can modify some formulas and display erroneous content. The server is not affected only the current user browser session, that can easily be closed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_business_objects_business_intelligence_platform< 4.1+1

▶NVDsap/businessobjects_business_intelligence_platform4.1, 4.2+1

🔴Vulnerability Details

GHSA

GHSA-g434-x599-83p4: SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) allows an attacker with edit document rights to upload any file↗2022-05-24

▶

CVEList

CVE-2020-6288: SAP Business Objects Business Intelligence Platform (Web Intelligence HTML interface) allows an attacker with edit document rights to upload any file↗2020-09-09

▶