CVE-2020-6208
HIGHSAP Crystal Reports 4.1-4.2 - Authenticated Remote Code Execution via Use-After-Free
Title source: llmDescription
SAP Business Objects Business Intelligence Platform (Crystal Reports), versions- 4.1, 4.2, allows an attacker with basic authorization to inject code that can be executed by the application and thus allowing the attacker to control the behaviour of the application, leading to Remote Code Execution. Although the mode of attack is only Local, multiple applications can be impacted as a result of the vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2861301
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-20-291/
Scores
CVSS v3
8.2
EPSS
0.0260
EPSS Percentile
85.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (2)
sap/crystal_reports
4.1
sap/crystal_reports
4.2
Published
Mar 10, 2020
Tracked Since
Feb 18, 2026