CVE-2021-27600 — Cross-site Scripting in SE SAP Manufacturing Execution

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 55.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Manufacturing Execution SAP Manufacturing Execution

Timeline

PublishedApr 13

Latest updateMay 24

Description

SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored Cross-Site Scripting (XSS) vulnerability. The malicious code can be used for different purposes. e.g., information can be read, modified, and sent to the attacker. However, availability of the server …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_manufacturing_execution< 15.1+3

▶NVDsap/manufacturing_execution4 versions+3

🔴Vulnerability Details

GHSA

GHSA-4pr6-x3xw-vrm6: SAP Manufacturing Execution (System Rules), versions - 15↗2022-05-24

▶

CVEList

CVE-2021-27600: SAP Manufacturing Execution (System Rules), versions - 15↗2021-04-13

▶