CVE-2021-33679 — Cross-site Scripting in SE SAP Businessobjects Business Intelligence Platform

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.2%

top 62.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform SAP Businessobjects Business Intelligence Platform

Timeline

PublishedSep 14

Latest updateMay 24

Description

The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform< 420

▶NVDsap/businessobjects_business_intelligence_platform420

🔴Vulnerability Details

GHSA

GHSA-2h3g-g3x2-rqwp: The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while crea↗2022-05-24

▶

CVEList

CVE-2021-33679: The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while crea↗2021-09-14

▶