CVE-2021-21490
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
09/06/2021
Last modified:
05/10/2022
Description
SAP NetWeaver AS for ABAP (Web Survey), versions - 700, 702, 710, 711, 730, 731, 750, 750, 752, 75A, 75F, does not sufficiently encode input and output parameters which results in reflected cross site scripting vulnerability, through which a malicious user can access data relating to the current session and use it to impersonate a user and access all information with the same rights as the target user.
Impact
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sap:netweaver_application_server_abap:75a:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:75f:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:700:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:702:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:710:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:711:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:730:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page