CVE-2021-33688 — SQL Injection in SE SAP Business ONE

CWE-89 — SQL Injection3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 47.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Business ONE SAP Business ONE

Timeline

PublishedSep 14

Latest updateMay 24

Description

SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_business_one< 10.0

▶NVDsap/business_one10.0

🔴Vulnerability Details

GHSA

GHSA-4h46-q5mh-hhfp: SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database↗2022-05-24

▶

CVEList

CVE-2021-33688: SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database↗2021-09-14

▶