CVE-2021-33703 — Cross-site Scripting in SE SAP Netweaver Enterprise Portal

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.7%

top 28.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Enterprise Portal SAP Netweaver Enterprise Portal

Timeline

PublishedAug 10

Latest updateMay 24

Description

Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_enterprise_portal< 7.30+3

▶NVDsap/netweaver_enterprise_portal4 versions+3

🔴Vulnerability Details

GHSA

GHSA-mc4p-q6wc-4cwx: Under certain conditions, NetWeaver Enterprise Portal, versions - 7↗2022-05-24

▶

CVEList

CVE-2021-33703: Under certain conditions, NetWeaver Enterprise Portal, versions - 7↗2021-08-10

▶