CVE-2021-27601

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 62.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Netweaver AS FOR Java (applications Based ON Htmlb FOR Java)SAP Netweaver Application Server Java
Timeline
PublishedApr 13
Latest updateMay 24

Description

SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5sap_se/sap_netweaver_as_for_java_(applications_based_on_htmlb_for_java)EP-BASIS 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, FRAMEWORK 7.10, 7.11, FRAMEWORK-EXT 7.30, 7.31, 7.40, 7.50+2
NVDsap/netweaver_application6 versions+5

🔴Vulnerability Details

2
GHSA
GHSA-hfcm-37qj-j7cf: SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server2022-05-24
CVEList
CVE-2021-27601: SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server2021-04-13
CVE-2021-27601 (MEDIUM CVSS 5.4) | SAP NetWeaver AS Java (Applications | cvebase.io