CVE-2020-26831

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects BI Platform (Crystal Report) versions 4.1, 4.2, 4.3

Description The issue arises from insufficient validation of uploaded XML entities during crystal report generation due to missing XML validation. An attacker with basic privileges can inject arbitrary XML entities, leading to internal file disclosure, internal directories disclosure, Server-Side Request Forgery (SSRF), and denial-of-service (DoS).

Recommendations For versions 4.1, 4.2, 4.3, consider disabling the XML entity upload feature until a patch is available to prevent exploitation. Restrict access to the crystal report generation module to minimize the risk of internal file and directory disclosure. Avoid using the vulnerable XML validation mechanism in the affected SAP BusinessObjects BI Platform until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.