CVE-2020-26808

high-risk
Published 2020-11-10

SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.

Do I need to act?

~
3.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10 High
NETWORK / LOW complexity

Affected Products (13)

Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap As Abap\(Dmis\)
Sap S4 Hana\(Dmis\)
Sap S4 Hana\(Dmis\)
Sap S4 Hana\(Dmis\)
Sap S4 Hana\(Dmis\)
Sap S4 Hana\(Dmis\)

Affected Vendors

Sap

References (8)

Exploit http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Pla...
Exploit http://seclists.org/fulldisclosure/2022/May/42
Permissions Required https://launchpad.support.sap.com/#/notes/2973735
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571
Exploit http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Pla...
Exploit http://seclists.org/fulldisclosure/2022/May/42
Permissions Required https://launchpad.support.sap.com/#/notes/2973735
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571
50
/ 100
high-risk
Severity 26/34 · High
Exploitability 7/34 · Low
Exposure 17/34 · Moderate