CVE-2021-40500
HIGHSAP BusinessObjects Business Intelligence Platform 420 430 - Unauthenticated XML External Entity Injection
Title source: llmDescription
SAP BusinessObjects Business Intelligence Platform (Crystal Reports) - versions 420, 430, allows an unauthenticated attacker to exploit missing XML validations at endpoints to read sensitive data. These endpoints are normally exposed over the network and successful exploitation can enable the attacker to retrieve arbitrary files from the server.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=587169983
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/3074693
Scores
CVSS v3
7.5
EPSS
0.0121
EPSS Percentile
79.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (2)
sap/businessobjects_business_intelligence_platform
4.20
sap/businessobjects_business_intelligence_platform
4.30
Published
Oct 12, 2021
Tracked Since
Feb 18, 2026