Description
Crystal Report does not sufficiently validate uploaded XML entities. An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server Side Request Forgery (SSRF) and also denial-of-service (DoS)
Available fix and Supported packages
- ENTERPRISE | 410 | 410
- ENTERPRISE | 420 | 420
- ENTERPRISE | 430 | 430
- SBOP BI PLATFORM SERVERS 4.1 | SP012 | 000900
- SBOP BI PLATFORM SERVERS 4.2 | SP008 | 000700
- SBOP BI PLATFORM SERVERS 4.2 | SP009 | 000000
- SBOP BI PLATFORM SERVERS 4.3 | SP000 | 000400
- SBOP BI PLATFORM SERVERS 4.3 | SP001 | 000000
- SBOP BI PLATFORM SERVERS 4.3 | SP002 | 000000
Affected component
- BI-RA-CR-VW
Viewers
CVSS
Score: 9.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Exploit
Exploit is not available.
For detailed information please contact the mail [email protected].
URL
https://launchpad.support.sap.com/#/notes/2989075