VDB
CVE-2020-26830
CVE-2020-26830
PUBLISHED
CVSS 7.599999904632568 HIGH
SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, does not perform necessary authorization checks for an authenticated user. Due to inadequate access control, a network attacker authenticated as a regular user can use operations which should be restricted to administrators. These operations can be used to Change the User Experience Monitoring configuration, obtain details about the configured SAP Solution Manager agents, Deploy a malicious User Experience Monitoring script.
EPSS 0.25% · 48.9th percentile
Risk Scores
CVSS v3.0
7.599999904632568
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
EPSS Score
0.25%
48.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| sap | solution_manager | 7.20 |
| SAP SE | SAP Solution Manager (User Experience Monitoring) | < 7.20 |
Timeline
- Dec 8, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 19, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 advisory
- https://launchpad.support.sap.com/#/notes/2983204 url
- 20210614 Onapsis Security Advisory 2021-0011 Missing authorization check in SolMan End-User Experience Monitoring mailing-list
- http://packetstormsecurity.com/files/163161/SAP-Solution-Manager-7.2-Missing-Authorization.html url
- https://nvd.nist.gov/vuln/detail/CVE-2020-26830 advisory