Description
SAP BusinessObjects BI Platform (Crystal Report), versions - 4.1, 4.2, 4.3, does not sufficiently validate uploaded XML entities during crystal report generation due to missing XML validation, An attacker with basic privileges can inject some arbitrary XML entities leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF) and denial-of-service (DoS).
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2989075
Scores
CVSS v3
9.6
EPSS
0.0062
EPSS Percentile
70.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H
Details
Status
published
Products (3)
sap/businessobjects_business_intelligence_platform
4.1
sap/businessobjects_business_intelligence_platform
4.2
sap/businessobjects_business_intelligence_platform
4.3
Published
Dec 09, 2020
Tracked Since
Feb 18, 2026