CVE-2020-26836: SAP Solution Manager - Open Redirect

id: CVE-2020-26836

info:
  name: SAP Solution Manager - Open Redirect
  author: Gal Nagli,LRVT
  severity: medium
  description: SAP Solution Manager contains an open redirect vulnerability via the logoff endpoint. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  impact: |
    Attackers can redirect users to malicious websites through crafted links, potentially facilitating phishing attacks or credential theft.
  remediation: |
    Apply security patches or updates provided by SAP to fix the vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-26836
    - https://onapsis.com/security-advisories/sap-solution-manager-open-redirect-trace-analysis/
    - http://packetstormsecurity.com/files/163136/SAP-Solution-Manager-7.2-ST-720-Open-Redirection.html
    - http://seclists.org/fulldisclosure/2021/Jun/25
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-26836
    cwe-id: CWE-601
    epss-score: 0.05012
    epss-percentile: 0.8943
    cpe: cpe:2.3:a:sap:solution_manager:7.20:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sap
    product: solution_manager
  tags: cve,cve2020,redirect,sap,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/sap/public/bc/icf/logoff?redirecturl=https://interact.sh"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 302
          - 301
          - 307

      - type: word
        part: header
        words:
          - "Location: https://www.interact.sh"
          - "Location: https://interact.sh"
        condition: or
# digest: 4a0a00473045022100fefe17db0169fcaa69f57bbc5f16ea34ef15247ecf659d765c1127c0da9a2058022031920316dfcd23bbccaf604d052185bb5b6f0f967b680c27d6d341d8af169c3c:922c64590222798bb761d5b6d8e72950