Lucene search

SapCVELIST:CVE-2020-6368

HistoryOct 15, 2020 - 1:54 a.m.

CVE-2020-6368

2020-10-1501:54:18

sap

www.cve.org

sap bpc 750-200

cross site scripting

unauthorized modification

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

CNA Affected

[
  {
    "product": "SAP Business Planning and Consolidation",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 750"
      },
      {
        "status": "affected",
        "version": "< 751"
      },
      {
        "status": "affected",
        "version": "< 752"
      },
      {
        "status": "affected",
        "version": "< 753"
      },
      {
        "status": "affected",
        "version": "< 754"
      },
      {
        "status": "affected",
        "version": "< 755"
      },
      {
        "status": "affected",
        "version": "< 810"
      },
      {
        "status": "affected",
        "version": "< 100"
      },
      {
        "status": "affected",
        "version": "< 200"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2960825

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196