Vulnerability Details : CVE-2021-33691
NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim has an active session when the crafted script gets executed, the threat actor could compromise information in victims session, and gain access to some sensitive information also.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2021-33691
- cpe:2.3:a:sap:netweaver_development_infrastructure:7.31:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_development_infrastructure:7.40:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_development_infrastructure:7.50:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-33691
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-33691
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
|
6.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N |
1.6
|
4.7
|
SAP SE | |
|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2021-33691
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-33691
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
SAP Security Patch Day – August 2021 - Product Security Response at SAP - Community WikiPatch;Vendor Advisory
-
https://launchpad.support.sap.com/#/notes/3073450
SAP ONE Support Launchpad: Log OnPermissions Required
Jump to