{"api_version":"1","generated_at":"2026-04-29T15:42:38+00:00","cve":"CVE-2018-2427","urls":{"html":"https://cve.report/CVE-2018-2427","api":"https://cve.report/api/cve/CVE-2018-2427.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-2427","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-2427"},"summary":{"title":"CVE-2018-2427","description":"SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.","state":"PUBLIC","assigner":"cna@sap.com","published_at":"2018-07-10 18:29:00","updated_at":"2018-09-06 13:04:00"},"problem_types":["CWE-94"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/104715","name":"104715","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"SAP BusinessObjects Business Intelligence Suite Remote Code Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://launchpad.support.sap.com/#/notes/2620738","name":"https://launchpad.support.sap.com/#/notes/2620738","refsource":"MISC","tags":["Permissions Required"],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000","name":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"SAP Security Patch Day – July 2018 - Product Security Response at SAP - Community Wiki","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-2427","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-2427","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"businessobjects_business_intelligence","cpe6":"4.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"businessobjects_business_intelligence","cpe6":"4.20","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"businessobjects_business_intelligence","cpe6":"4.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"businessobjects_business_intelligence","cpe6":"4.20","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"crystal_reports","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"visual_studio_.net_2010","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"2427","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"crystal_reports","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"visual_studio_.net_2010","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cna@sap.com","ID":"CVE-2018-2427","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"SAP BusinessObjects Business Intelligence Suite","version":{"version_data":[{"version_name":"=","version_value":"4.10"},{"version_name":"=","version_value":"4.20"}]}},{"product_name":"SAP Crystal Reports","version":{"version_data":[{"version_name":"=","version_value":"version for Visual Studio .NET, Version 2010"}]}}]},"vendor_name":"SAP"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Code Injection"}]}]},"references":{"reference_data":[{"name":"https://launchpad.support.sap.com/#/notes/2620738","refsource":"MISC","url":"https://launchpad.support.sap.com/#/notes/2620738"},{"name":"104715","refsource":"BID","url":"http://www.securityfocus.com/bid/104715"},{"name":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000","refsource":"CONFIRM","url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=497256000"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2018-07-10 18:29:00","lastModifiedDate":"2018-09-06 13:04:00","problem_types":["CWE-94"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:businessobjects_business_intelligence:4.10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:businessobjects_business_intelligence:4.20:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:crystal_reports:-:*:*:*:*:visual_studio_.net_2010:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"2427","Ordinal":"117982","Title":"CVE-2018-2427","CVE":"CVE-2018-2427","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"2427","Ordinal":"1","NoteData":"SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"2427","Ordinal":"2","NoteData":"2018-07-10","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"2427","Ordinal":"3","NoteData":"2018-07-12","Type":"Other","Title":"Modified"}]}}}