CVE-2021-33702 — Cross-site Scripting in SE SAP Netweaver Enterprise Portal

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.7%

top 27.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Enterprise Portal SAP Netweaver Enterprise Portal

Timeline

PublishedAug 10

Latest updateMay 24

Description

Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_enterprise_portal< 7.10+6

▶NVDsap/netweaver_enterprise_portal7 versions+6

🔴Vulnerability Details

GHSA

GHSA-2f44-722h-c7qc: Under certain conditions, NetWeaver Enterprise Portal, versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33702: Under certain conditions, NetWeaver Enterprise Portal, versions - 7↗2021-08-10

▶