CVE-2020-26837

moderate-risk
Published 2020-12-09

SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable.

Do I need to act?

-
0.56% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Sap

References (8)

Third Party Advisory http://packetstormsecurity.com/files/163160/SAP-Solution-Manager-7.2-File-Disclo...
Mailing List http://seclists.org/fulldisclosure/2021/Jun/32
Permissions Required https://launchpad.support.sap.com/#/notes/2983204
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Third Party Advisory http://packetstormsecurity.com/files/163160/SAP-Solution-Manager-7.2-File-Disclo...
Mailing List http://seclists.org/fulldisclosure/2021/Jun/32
Permissions Required https://launchpad.support.sap.com/#/notes/2983204
Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
38
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal