Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple Node.js Security Vulnerability
August 12, 2021
Rewterz
Rewterz Threat Update –Multiple Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities
August 12, 2021

Rewterz Threat Advisory –Multiple SAP Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-33705

SAP NetWeaver Enterprise Portal is vulnerable to server-side request forgery, caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.

CVE-2021-33704

SAP Business One (Service Layer) could allow a remote authenticated attacker to bypass security restrictions, caused by a missing authorization check flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions to perform unauthorized actions.

CVE-2021-33700


SAP Business One could allow a local authenticated attacker to bypass security restrictions, caused by a missing authentication check flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions

CVE-2021-33697

SAP BusinessObjects Business Intelligence Platform (SAP UI5) could allow a remote attacker to conduct phishing attacks, caused by a Reverse Tabnabbing flaw. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.

CVE-2021-33696

SAP BusinessObjects Business Intelligence Platform (Crystal Report) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2021-33691

SAP NetWeaver Development Infrastructure (Notification Service) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Impact

  • Unauthorized Access
  • Security Bypass
  • Cross-Site Scripting

Affected Vendors

SAP

Affected Products

  • SAP NetWeaver Enterprise Portal 7.11
  • SAP NetWeaver Enterprise Portal 7.20
  • SAP NetWeaver Enterprise Portal 7.30
  • SAP NetWeaver Enterprise Portal 7.31
  • SAP Business One 10.0
  • SAP BusinessObjects Business Intelligence Platform 420
  • SAP BusinessObjects Business Intelligence Platform 430
  • SAP NetWeaver Development Infrastructure 7.31
  • SAP NetWeaver Development Infrastructure 7.40
  • SAP NetWeaver Development Infrastructure 7.50

Remediation

Current SAP customers should refer to SAP notes for patch information, available from the SAP Web site.

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806