CVE-2021-42063
published 2021-12-14CVE-2021-42063: A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web…
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.32%
97.4th percentile
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sap | knowledge_warehouse | — | — |
| sap | knowledge_warehouse | — | — |
| sap | knowledge_warehouse | — | — |
| sap | knowledge_warehouse | — | — |
| sap_se | sap_knowledge_warehouse | < 7.30 | 7.30 |
| sap_se | sap_knowledge_warehouse | < 7.31 | 7.31 |
| sap_se | sap_knowledge_warehouse | < 7.40 | 7.40 |
| sap_se | sap_knowledge_warehouse | < 7.50 | 7.50 |
Detection & IOCsextracted from sources · hover to see the quote
url/SAPIrExtHelp/random/SAPIrExtHelp/random/%22%3e%3c%53%56%47%20%4f%4e%4c%4f%41%44%3d%26%23%39%37%26%23%31%30%38%26%23%31%30%31%26%23%31%31%34%26%23%31%31%36%28%26%23%78%36%34%26%23%78%36%66%26%23%78%36%33%26%23%78%37%35%26%23%78%36%64%26%23%78%36%35%26%23%78%36%65%26%23%78%37%34%26%23%78%32%65%26%23%78%36%34%26%23%78%36%66%26%23%78%36%64%26%23%78%36%31%26%23%78%36%39%26%23%78%36%65%29%3e.asp↗
- →Response body must contain both the XSS payload string and the string 'SAPIKS2' to confirm exploitation of the reflected XSS endpoint. ↗
- →Response Content-Type header must be 'text/html' to confirm the vulnerable endpoint is rendering HTML (and thus the XSS payload). ↗
- →Use Shodan favicon hash -266008933 to identify internet-exposed SAP Knowledge Warehouse / SAP NetWeaver instances as potential targets. ↗
- →Use FOFA icon_hash=-266008933 or ZoomEye app="SAP NetWeaver Application Server httpd" to identify exposed SAP KW instances. ↗
- →The XSS attack is delivered via a GET request to the /SAPIrExtHelp/ path with a URL-encoded SVG ONLOAD payload injected into the path segment, requiring no authentication (PR:N). ↗
- ·Vulnerable versions are SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 only. The nuclei template targets these versions; scanning other SAP products on the same host may produce false positives. ↗
- ·The detection requires UI interaction (UI:R per CVSS), meaning the XSS payload must be rendered in a victim's browser; server-side scanning alone confirms reflectivity but not full exploitation. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rw6f-wgvq-rrvg: A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7
ghsa_unreviewed·2021-12-15
CVE-2021-42063 [MEDIUM] CWE-79 GHSA-rw6f-wgvq-rrvg: A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
VulnCheck
SAP knowledge_warehouse Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-42063 [MEDIUM] SAP knowledge_warehouse Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
SAP knowledge_warehouse Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
Affected: SAP knowledge_warehouse
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.onapsis.com/threat-report/ch4tter; https://app.crowdsec.net/cti/cve-explorer/CVE-2021-42063
Exploit PoC: https://vulncheck.com/xdb/9f3a82872299
No detection rules found.
Nuclei
SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-42063 [MEDIUM] SAP Knowledge Warehouse <=7.5.0 - Cross-Site Scripting
SAP Knowledge Warehouse =7.5.1) to mitigate the XSS vulnerability.
reference:
- https://seclists.org/fulldisclosure/2022/Mar/32
- https://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
- https://twitter.com/MrTuxracer/status/1505934549217382409
- https://nvd.nist.gov/vuln/detail/CVE-2021-42063
- http://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-42063
cwe-id: CWE-79
epss-score: 0.40784
epss-percentile: 0.97376
cpe: cpe:2.3:a:sap:knowledge_warehouse:7.30:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: sap
product: knowledge_warehouse
shodan-query: http.favicon.hash
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2022/Mar/32https://launchpad.support.sap.com/#/notes/3102769https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021http://packetstormsecurity.com/files/166369/SAP-Knowledge-Warehouse-7.50-7.40-7.31-7.30-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2022/Mar/32https://launchpad.support.sap.com/#/notes/3102769https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+December+2021
2021-12-14
Published
Exploited in the wild