CVE-2020-26808

HIGH

SAP AS ABAP(DMIS) <2020 - Code Injection

Title source: llm

Description

SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.

References (4)

Core 4

Core References

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/2973735

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2022/May/42

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Scores

CVSS v3 7.2

EPSS 0.0374

EPSS Percentile 88.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (13)

sap/sap_as_abap\(dmis\) 2011_1_620

sap/sap_as_abap\(dmis\) 2011_1_640

sap/sap_as_abap\(dmis\) 2011_1_700

sap/sap_as_abap\(dmis\) 2011_1_710

sap/sap_as_abap\(dmis\) 2011_1_730

sap/sap_as_abap\(dmis\) 2011_1_731

sap/sap_as_abap\(dmis\) 2011_1_752

sap/sap_as_abap\(dmis\) 2020

sap/sap_s4_hana\(dmis\) 101

sap/sap_s4_hana\(dmis\) 102

... and 3 more

Published Nov 10, 2020

Tracked Since Feb 18, 2026