Vulnerability Details : CVE-2021-33679
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-33679
- cpe:2.3:a:sap:businessobjects_business_intelligence_platform:420:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-33679
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-33679
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
SAP SE | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2021-33679
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-33679
-
https://launchpad.support.sap.com/#/notes/3055180
SAP ONE Support Launchpad: Log OnPermissions Required
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405
SAP Security Patch Day – September 2021 - Product Security Response at SAP - Community WikiVendor Advisory
Jump to