CVE-2021-33672

CWE-1163 documents3 sources
Severity
9.6CRITICAL
EPSS
0.3%
top 49.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Contact CenterSAP Contact Center
Timeline
PublishedSep 14
Latest updateMay 24

Description

Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages2 packages

CVEListV5sap_se/sap_contact_center< 700

🔴Vulnerability Details

2
GHSA
GHSA-v3pv-ppv6-v9rf: Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message2022-05-24
CVEList
CVE-2021-33672: Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message2021-09-14
CVE-2021-33672 (CRITICAL CVSS 9.6) | Due to missing encoding in SAP Cont | cvebase.io