Reflected Cross-Site Scripting in NetWeaver Enterprise Portal by SAP
CVE-2021-33703

8.3HIGH

Key Information:

Vendor
SAP
Status
SAP Netweaver Enterprise Portal (application Extensions)
Vendor
CVE Published:
10 August 2021

Summary

The NetWeaver Enterprise Portal by SAP has a vulnerability due to insufficient encoding of URL parameters in versions 7.30, 7.31, 7.40, and 7.50. Under specific conditions, an attacker can create a malicious link and send it to a user. If the victim clicks on this crafted link, it can lead to a reflected XSS attack, compromising the integrity of system operations and potentially leading to unauthorized actions within the application.

Affected Version(s)

SAP NetWeaver Enterprise Portal (Application Extensions) < 7.30 < 7.30

SAP NetWeaver Enterprise Portal (Application Extensions) < 7.31 < 7.31

SAP NetWeaver Enterprise Portal (Application Extensions) < 7.40 < 7.40

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_MISC
https://launchpad.support.sap.com/#/notes/3072920
x_refsource_MISC
http://seclists.org/fulldisclosure/2022/Jan/71
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.