cbcvebase.
CVE-2021-42063
published 2021-12-14

CVE-2021-42063: A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.32%
97.4th percentile
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.

Affected

8 ranges
VendorProductVersion rangeFixed in
sapknowledge_warehouse
sapknowledge_warehouse
sapknowledge_warehouse
sapknowledge_warehouse
sap_sesap_knowledge_warehouse< 7.307.30
sap_sesap_knowledge_warehouse< 7.317.31
sap_sesap_knowledge_warehouse< 7.407.40
sap_sesap_knowledge_warehouse< 7.507.50

Detection & IOCsextracted from sources · hover to see the quote

url/SAPIrExtHelp/random/SAPIrExtHelp/random/%22%3e%3c%53%56%47%20%4f%4e%4c%4f%41%44%3d%26%23%39%37%26%23%31%30%38%26%23%31%30%31%26%23%31%31%34%26%23%31%31%36%28%26%23%78%36%34%26%23%78%36%66%26%23%78%36%33%26%23%78%37%35%26%23%78%36%64%26%23%78%36%35%26%23%78%36%65%26%23%78%37%34%26%23%78%32%65%26%23%78%36%34%26%23%78%36%66%26%23%78%36%64%26%23%78%36%31%26%23%78%36%39%26%23%78%36%65%29%3e.asp
otherhttp.favicon.hash:-266008933
othericon_hash=-266008933
path/SAPIrExtHelp/
  • Response body must contain both the XSS payload string and the string 'SAPIKS2' to confirm exploitation of the reflected XSS endpoint.
  • Response Content-Type header must be 'text/html' to confirm the vulnerable endpoint is rendering HTML (and thus the XSS payload).
  • Use Shodan favicon hash -266008933 to identify internet-exposed SAP Knowledge Warehouse / SAP NetWeaver instances as potential targets.
  • Use FOFA icon_hash=-266008933 or ZoomEye app="SAP NetWeaver Application Server httpd" to identify exposed SAP KW instances.
  • The XSS attack is delivered via a GET request to the /SAPIrExtHelp/ path with a URL-encoded SVG ONLOAD payload injected into the path segment, requiring no authentication (PR:N).
  • ·Vulnerable versions are SAP Knowledge Warehouse 7.30, 7.31, 7.40, and 7.50 only. The nuclei template targets these versions; scanning other SAP products on the same host may produce false positives.
  • ·The detection requires UI interaction (UI:R per CVSS), meaning the XSS payload must be rendered in a victim's browser; server-side scanning alone confirms reflectivity but not full exploitation.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.