CVE-2020-6368

SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting.

CVSS v3 5.4 MEDIUM
CVSS v2.0 3.5 LOW

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2960825	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sap:business_planning_and_consolidation:100:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:200:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:750:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:751:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:752:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:753:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:754:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:755:::::::*
	cpe:2.3:a:sap:business_planning_and_consolidation:810:::::::*

History

No history.

Information

Published : 2020-10-15 02:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-6368

Mitre link : CVE-2020-6368

CVE.ORG link : CVE-2020-6368

JSON object : View

Products Affected

sap

business_planning_and_consolidation

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2020-6368", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-10-15T02:15:12.890", "references": [{"url": "https://launchpad.support.sap.com/#/notes/2960825", "tags": ["Permissions Required"], "source": "cna@sap.com"}, {"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196", "tags": ["Vendor Advisory"], "source": "cna@sap.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "SAP Business Planning and Consolidation, versions - 750, 751, 752, 753, 754, 755, 810, 100, 200, can be abused by an attacker, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users, leading to Cross Site Scripting."}, {"lang": "es", "value": "SAP Business Planning and Consolidation, versiones - 750, 751, 752, 753, 754, 755, 810, 100, 200, pueden ser abusada por un atacante, permitiendo modificar el contenido de la aplicaci\u00f3n mostrada sin autorizaci\u00f3n y potencialmente obtener informaci\u00f3n de autenticaci\u00f3n de otros usuarios leg\u00edtimos, conllevando a una vulnerabilidad de tipo Cross Site Scripting"}], "lastModified": "2020-10-19T19:50:23.043", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:100:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5511CB0-07AA-49C9-B445-32E78957F0BC"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:200:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "545A7B0D-B9E5-42AB-A81C-AC3C55E7ACDD"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:750:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F248836-5A9D-4DA8-9AAC-F71AD511DAF7"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:751:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E9AD392-554A-4707-99F2-E9449E2232D6"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:752:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "60287C4F-7CA8-43B4-A054-5C63D5DA99BE"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:753:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9A5ACFB-A152-445A-A5CD-33083DD726CD"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:754:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B936DDDB-7B28-4A73-9A05-3BF403A9D95E"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:755:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80834B1A-9FA7-4334-8D0F-6A0E001738A2"}, {"criteria": "cpe:2.3:a:sap:business_planning_and_consolidation:810:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA754B06-A263-4B03-B350-96F507E2235B"}], "operator": "OR"}]}], "sourceIdentifier": "cna@sap.com"}