← back
CVE-2020-26808

CVE-2020-26808

CVSS 9.1 CRITICALEPSS 3.0%
SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected products
SAP SE · SAP AS ABAP(DMIS)SAP SE · SAP S4 HANA(DMIS)
public PoCs found1
cve_referencepacketstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.htmlhttp://seclists.org/fulldisclosure/2022/May/42https://launchpad.support.sap.com/#/notes/2973735https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571