{"vulnerability": "CVE-2020-2680", "sightings": [{"uuid": "3fdfe609-3493-444f-9409-1afa82db3914", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26807", "type": "seen", "source": "https://t.me/cibsecurity/16102", "content": "\u203c CVE-2020-26807 \u203c\n\nSAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-10T20:26:50.000000Z"}, {"uuid": "7e7c29cc-6a30-402e-b7c0-e446d0793e21", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26806", "type": "seen", "source": "https://t.me/cibsecurity/26646", "content": "\u203c CVE-2020-26806 \u203c\n\nadmin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-07-31T20:25:51.000000Z"}, {"uuid": "c9171fb3-0eaa-4dbf-9b7f-6d72eba82d45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26806", "type": "seen", "source": "https://t.me/pwnwiki_zhchannel/809", "content": "CVE-2020-26806 ObjectPlanet Opinio 7.13 shell\u4e0a\u50b3\u6f0f\u6d1e\nhttps://www.pwnwiki.org/index.php?title=CVE-2020-26806_ObjectPlanet_Opinio_7.13_shell%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E", "creation_timestamp": "2021-09-21T04:42:01.000000Z"}, {"uuid": "f264fcb6-2190-4b61-8079-5d00126b106e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26808", "type": "seen", "source": "https://t.me/cibsecurity/16110", "content": "\u203c CVE-2020-26808 \u203c\n\nSAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA(DMIS), versions - 101, 102, 103, 104, 105, allows an authenticated attacker to inject arbitrary code into function module leading to code injection that can be executed in the application which affects the confidentiality, availability and integrity of the application.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-10T20:27:49.000000Z"}, {"uuid": "57b4548c-f8f6-43ca-93b6-7bad437d48d7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26803", "type": "seen", "source": "https://t.me/cibsecurity/16257", "content": "\u203c CVE-2020-26803 \u203c\n\nIn Sentrifugo 3.2, users can upload an image under \"Assets -> Add\" tab. This \"Upload Images\" functionality is suffered from \"Unrestricted File Upload\" vulnerability so attacker can upload malicious files using this functionality and control the server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-12T22:32:03.000000Z"}, {"uuid": "571f3b20-f02c-4d14-99ca-1866d69c875d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26805", "type": "seen", "source": "https://t.me/cibsecurity/16252", "content": "\u203c CVE-2020-26805 \u203c\n\nIn Sentrifugo 3.2, admin can edit employee's informations via this endpoint --> /sentrifugo/index.php/empadditionaldetails/edit/userid/2. In this POST request, \"employeeNumId\" parameter is affected by SQLi vulnerability. Attacker can inject SQL commands into query, read data from database or write data into the database.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-12T22:31:57.000000Z"}, {"uuid": "1a7d5cef-2bce-4c9a-81f7-5d1715c0fdde", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26804", "type": "seen", "source": "https://t.me/cibsecurity/16256", "content": "\u203c CVE-2020-26804 \u203c\n\nIn Sentrifugo 3.2, users can share an announcement under \"Organization -> Announcements\" tab. Also, in this page, users can upload attachments with the shared announcements. This \"Upload Attachment\" functionality is suffered from \"Unrestricted File Upload\" vulnerability so attacker can upload malicious files using this functionality and control the server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-12T22:32:01.000000Z"}, {"uuid": "40d34a69-815e-4718-a3dc-1bc688a865db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2020-26809", "type": "seen", "source": "https://t.me/cibsecurity/16116", "content": "\u203c CVE-2020-26809 \u203c\n\nSAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that results in disclosure of sensitive information and impact system configuration confidentiality.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-11-10T20:27:58.000000Z"}]}