CVE-2021-33664

SAP NetWeaver Application Server ABAP (Applications based on Web Dynpro ABAP), versions - SAP_UI - 750,752,753,754,755, SAP_BASIS - 702, 731 does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.

Published: Jun 9, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-33664
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
sap / netweaver_application_server_abap	31	31.x
sap / netweaver_application_server_abap	702	702.x
sap / netweaver_application_server_abap	750	750.x
sap / netweaver_application_server_abap	752	752.x
sap / netweaver_application_server_abap	753	753.x
sap / netweaver_application_server_abap	754	754.x
sap / netweaver_application_server_abap	755	755.x

https://launchpad.support.sap.com/#/notes/3025604
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=578125999

Vulnerability Database

289,784

CVE-2021-33664