Stored Cross-Site Scripting Vulnerability in SAP NetWeaver Enterprise Portal
CVE-2021-33702

8.3HIGH

Key Information:

Vendor
SAP
Status
SAP Netweaver Enterprise Portal
Vendor
CVE Published:
10 August 2021

Summary

SAP NetWeaver Enterprise Portal versions 7.10 through 7.50 exhibit a vulnerability which allows an attacker to exploit insufficient encoding of report data. By injecting malicious scripts into reports, an attacker can compromise users when they open these reports, triggering the execution of harmful scripts in their browsers. This results in a Stored XSS vulnerability, posing significant risks to user data and system integrity.

Affected Version(s)

SAP NetWeaver Enterprise Portal < 7.10 < 7.10

SAP NetWeaver Enterprise Portal < 7.11 < 7.11

SAP NetWeaver Enterprise Portal < 7.20 < 7.20

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3073681
x_refsource_MISC
http://seclists.org/fulldisclosure/2022/Jan/70
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.