CVE-2021-33672

EPSS 0.27%
Published 14.09.2021 12:15:08
Last modified 21.11.2024 06:09:19
Source cna@sap.com
Teams watchlist Login
Open Login

Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ Contact Center Version700

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.473

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
cna@sap.com	9.6	2.8	6	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3073891

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-33672

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-33672

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-33672

EUVD