CVE-2021-27601

SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attacker does not have control over kind or degree.

Published: Apr 13, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-27601
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sap / netweaver_application_server_java	7.30	7.30.x
sap / netweaver_application_server_java	7.31	7.31.x
sap / netweaver_application_server_java	7.40	7.40.x
sap / netweaver_application_server_java	7.50	7.50.x
sap / netweaver_application_server_java	7.10	7.10.x
sap / netweaver_application_server_java	7.11	7.11.x

Vulnerability Database

289,697

CVE-2021-27601