CVE-2021-21490 — Cross-site Scripting in SE SAP Netweaver AS FOR Abap

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 51.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver AS FOR Abap SAP Netweaver Application Server Abap

Timeline

PublishedJun 9

Latest updateSep 18

Description

SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_as_for_abap< 700+9

▶NVDsap/netweaver_application10 versions+9

🔴Vulnerability Details

OSV

binutils vulnerabilities↗2023-09-18

▶

GHSA

GHSA-c8cw-5vg3-hjw3: SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and outpu↗2022-05-24

▶

CVEList

CVE-2021-21490: SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and outpu↗2021-06-09

▶