Lucene search

SapCVE-2020-6368

HistoryOct 15, 2020 - 2:15 a.m.

CVE-2020-6368

2020-10-1502:15:12

CWE-79

sap

web.nvd.nist.gov

sap

bpc

cross site scripting

xss

security vulnerability

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

Affected configurations

Nvd

Node

sapbusiness_planning_and_consolidationMatch100

sapbusiness_planning_and_consolidationMatch200

sapbusiness_planning_and_consolidationMatch750

sapbusiness_planning_and_consolidationMatch751

sapbusiness_planning_and_consolidationMatch752

sapbusiness_planning_and_consolidationMatch753

sapbusiness_planning_and_consolidationMatch754

sapbusiness_planning_and_consolidationMatch755

sapbusiness_planning_and_consolidationMatch810

VendorProductVersionCPE
sapbusiness_planning_and_consolidation100cpe:2.3:a:sap:business_planning_and_consolidation:100:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation200cpe:2.3:a:sap:business_planning_and_consolidation:200:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation750cpe:2.3:a:sap:business_planning_and_consolidation:750:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation751cpe:2.3:a:sap:business_planning_and_consolidation:751:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation752cpe:2.3:a:sap:business_planning_and_consolidation:752:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation753cpe:2.3:a:sap:business_planning_and_consolidation:753:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation754cpe:2.3:a:sap:business_planning_and_consolidation:754:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation755cpe:2.3:a:sap:business_planning_and_consolidation:755:*:*:*:*:*:*:*
sapbusiness_planning_and_consolidation810cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	business_planning_and_consolidation	100	cpe:2.3:a:sap:business_planning_and_consolidation:100:::::::*
sap	business_planning_and_consolidation	200	cpe:2.3:a:sap:business_planning_and_consolidation:200:::::::*
sap	business_planning_and_consolidation	750	cpe:2.3:a:sap:business_planning_and_consolidation:750:::::::*
sap	business_planning_and_consolidation	751	cpe:2.3:a:sap:business_planning_and_consolidation:751:::::::*
sap	business_planning_and_consolidation	752	cpe:2.3:a:sap:business_planning_and_consolidation:752:::::::*
sap	business_planning_and_consolidation	753	cpe:2.3:a:sap:business_planning_and_consolidation:753:::::::*
sap	business_planning_and_consolidation	754	cpe:2.3:a:sap:business_planning_and_consolidation:754:::::::*
sap	business_planning_and_consolidation	755	cpe:2.3:a:sap:business_planning_and_consolidation:755:::::::*
sap	business_planning_and_consolidation	810	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::::*

CNA Affected

[
  {
    "product": "SAP Business Planning and Consolidation",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 750"
      },
      {
        "status": "affected",
        "version": "< 751"
      },
      {
        "status": "affected",
        "version": "< 752"
      },
      {
        "status": "affected",
        "version": "< 753"
      },
      {
        "status": "affected",
        "version": "< 754"
      },
      {
        "status": "affected",
        "version": "< 755"
      },
      {
        "status": "affected",
        "version": "< 810"
      },
      {
        "status": "affected",
        "version": "< 100"
      },
      {
        "status": "affected",
        "version": "< 200"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2960825

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

Related for CVE-2020-6368