Cross-Site Scripting Vulnerability in SAP NetWeaver Application Server ABAP
CVE-2021-33664

5.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On Web Dynpro Abap)
Vendor: CVE Published:; 9 June 2021

Summary

The SAP NetWeaver Application Server ABAP, particularly for applications using Web Dynpro ABAP, suffers from a Cross-Site Scripting (XSS) vulnerability due to inadequate encoding of user-controlled inputs. This lack of proper input handling can allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to unauthorized actions and data theft. Organizations using affected SAP UI and BASIS versions should implement necessary security measures to mitigate these risks.

Affected Version(s)

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) < SAP_UI - 750 < SAP_UI - 750

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) < 752 < 752

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP) < 753 < 753

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3025604

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 9, 2021
Vulnerability Reserved
May 28, 2021