CVE-2021-33673 — Cross-site Scripting in SE SAP Contact Center

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 44.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Contact Center SAP Contact Center

Timeline

PublishedSep 14

Latest updateMay 24

Description

Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory and to execute arbitrary code on the victim's browser. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_contact_center< 700

▶NVDsap/contact_center700

🔴Vulnerability Details

GHSA

GHSA-52px-jf69-7p9q: Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them↗2022-05-24

▶

CVEList

CVE-2021-33673: Under certain conditions, SAP Contact Center - version 700,does not sufficiently encode user-controlled inputs and persists in them↗2021-09-14

▶