CVE-2021-21489 — Cross-site Scripting in SE SAP Netweaver Enterprise Portal

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

0.2%

top 53.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Enterprise Portal SAP Netweaver Enterprise Portal

Timeline

PublishedSep 14

Latest updateMay 24

Description

SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_enterprise_portal< 7.10+6

▶NVDsap/netweaver_enterprise_portal7 versions+6

🔴Vulnerability Details

GHSA

GHSA-7chv-w23j-556x: SAP NetWeaver Enterprise Portal versions - 7↗2022-05-24

▶

CVEList

CVE-2021-21489: SAP NetWeaver Enterprise Portal versions - 7↗2021-09-14

▶