Cross-Site Scripting in SAP Contact Center Communication Desktop
CVE-2021-33672

9.6CRITICAL

Key Information:

Vendor: SAP
Status: SAP Contact Center
Vendor: CVE Published:; 14 September 2021

What is CVE-2021-33672?

A vulnerability in the SAP Contact Center's Communication Desktop component allows for the injection of malicious scripts via chat messages. This issue arises from inadequate encoding, permitting an attacker to execute scripts within the recipient's environment once the message is received. Given the application's use of ActiveX, attackers can potentially execute system-level commands, compromising the confidentiality and integrity of the affected system while also posing risks to its availability.

Affected Version(s)

SAP Contact Center < 700

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3073891

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 14, 2021
Vulnerability Reserved
May 28, 2021