CVE-2021-33701

DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.

Published: Sep 15, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-33701
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
sap / dmis	2011_1_620	2011_1_620.x
sap / dmis	2011_1_640	2011_1_640.x
sap / dmis	2011_1_700	2011_1_700.x
sap / dmis	2011_1_710	2011_1_710.x
sap / dmis	2011_1_730	2011_1_730.x
sap / dmis	710	710.x
sap / dmis	2011_1_731	2011_1_731.x
sap / dmis	2011_1_752	2011_1_752.x
sap / dmis	2020125	2020125.x
sap / sapscore	125	125.x
sap / s4core	102	102.x
sap / s4core	103	103.x
sap / s4core	104	104.x
sap / s4core	105	105.x

Vulnerability Database

290,206

CVE-2021-33701