CVE-2021-21444 — UI Misrepresentation / Clickjacking in SE SAP Business Objects Business Intelligence Platform

CWE-1021 — UI Misrepresentation / Clickjacking3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 61.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Business Objects Business Intelligence Platform SAP Businessobjects Business Intelligence

Timeline

PublishedFeb 9

Latest updateMay 24

Description

SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_business_objects_business_intelligence_platform< 410+2

▶NVDsap/businessobjects_business_intelligence410, 420, 430+2

🔴Vulnerability Details

GHSA

GHSA-qq5h-7q3j-jh5p: SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be↗2022-05-24

▶

CVEList

CVE-2021-21444: SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be↗2021-02-09

▶