#VU36006 Information disclosure in Crystal Reports - CVE-2019-0285
Published: April 10, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU36006
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-0285
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Crystal Reports
Crystal Reports
Software vendor:
SAP
SAP
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The .NET SDK WebForm Viewer in SAP Crystal Reports for Visual Studio (fixed in version 2010) discloses sensitive database information including credentials which can be misused by the attacker.
Remediation
Install update from vendor's website.