CVE-2021-33697 — Use of Web Link to Untrusted Target with window.opener Access in SE SAP Businessobjects Business Intelligence Platform

CWE-1022 — Use of Web Link to Untrusted Target with window.opener Access CWE-269 — Improper Privilege Management3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 53.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Businessobjects Business Intelligence Platform SAP Businessobjects Business Intelligence

Timeline

PublishedSep 15

Latest updateMay 24

Description

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_businessobjects_business_intelligence_platform< 420+1

▶NVDsap/businessobjects_business_intelligence420, 430+1

Patches

Patch: wiki.scn.sap.com ↗Patch: wiki.scn.sap.com ↗

🔴Vulnerability Details

GHSA

GHSA-6vxp-v535-v5r9: Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to r↗2022-05-24

▶

CVEList

CVE-2021-33697: Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to r↗2021-09-15

▶