CVE-2020-6308

Name of the Vulnerable Software and Affected Versions SAP BusinessObjects Business Intelligence Platform (Web Services) versions 410, 420, 430

Description The issue allows an unauthenticated attacker to inject arbitrary values as CMS parameters, enabling them to perform lookups on the internal network, which is otherwise not accessible externally. This can lead to scanning the internal network to determine its infrastructure and gather information for further attacks, such as remote file inclusion, retrieving server files, bypassing the firewall, and forcing the vulnerable server to perform malicious requests, resulting in a Server-Side Request Forgery vulnerability.

Recommendations For SAP BusinessObjects Business Intelligence Platform (Web Services) versions 410, 420, 430, consider restricting access to the CMS parameters to prevent arbitrary value injection until a patch is available. As a temporary workaround, restrict the ability of the server to perform requests to internal network resources to minimize the risk of exploitation.