CVE-2020-26831

critical

Description

SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

https://launchpad.support.sap.com/#/notes/2989075

Details

Source: Mitre, NVD

Published: 2020-12-09

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 9.6

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H

Severity: Critical

EPSS

EPSS: 0.00615