CVE-2021-33691

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.2%

top 54.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Development Infrastructure (notification Service)SAP Netweaver Development Infrastructure

Timeline

PublishedSep 15

Latest updateMay 24

Description

NWDI Notification Service versions - 7.31, 7.40, 7.50, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.SAP NetWeaver Development Infrastructure Notification Service allows a threat actor to send crafted scripts to a victim. If the victim has an active session when the crafted script gets executed, the threat actor could compromise information in victims session, and gain access to some sensitive information also.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_development_infrastructure_(notification_service)< 7.31+2

▶NVDsap/netweaver_development_infrastructure7.31, 7.40, 7.50+2

Patches

Patch: wiki.scn.sap.com ↗Patch: wiki.scn.sap.com ↗

🔴Vulnerability Details

GHSA

GHSA-h5vp-8vfv-4cgp: NWDI Notification Service versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33691: NWDI Notification Service versions - 7↗2021-09-15

▶