CVE-2019-0285
CRITICALSAP Crystal Reports for Visual Studio - Cleartext Storage of Sensitive Database Credentials
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2019-0285. PoCs published by Mohamed M.Fouad.
AI-analyzed exploit summary This is a writeup describing a method to disclose sensitive information in SAP Crystal Reports by intercepting and decoding a base64-encoded 'viewerstate' parameter. No executable code is provided.
Description
The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.
Exploits (1)
exploitdb
WRITEUP
by Mohamed M.Fouad · textwebappsmultiple
https://www.exploit-db.com/exploits/47061
This is a writeup describing a method to disclose sensitive information in SAP Crystal Reports by intercepting and decoding a base64-encoded 'viewerstate' parameter. No executable code is provided.
Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target:
SAP Crystal Reports for Visual Studio, Version 2010
No auth needed
Prerequisites:
Ability to intercept HTTP requests · Access to a vulnerable SAP Crystal Reports instance
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114
Permissions Required, Vendor Advisory x_refsource_confirm
https://launchpad.support.sap.com/#/notes/2687663
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/153471/SAP-Crystal-Reports-Information-Disclosure.html
Scores
CVSS v3
9.8
EPSS
0.0661
EPSS Percentile
93.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-312
Status
published
Products (1)
sap/crystal_reports
2010
Published
Apr 10, 2019
Tracked Since
Feb 18, 2026