Lucene search

SapCVELIST:CVE-2021-21444

HistoryFeb 09, 2021 - 8:44 p.m.

CVE-2021-21444

2021-02-0920:44:22

sap

www.cve.org

sap business objects

bi platform

x-frame-options

clickjacking

vulnerability

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

36.1%

JSON

SAP Business Objects BI Platform, versions - 410, 420, 430, allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents. This could, as a result, nullify the added X-Frame-Options header leading to Clickjacking attack.

CNA Affected

[
  {
    "product": "SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 410"
      },
      {
        "status": "affected",
        "version": "< 420"
      },
      {
        "status": "affected",
        "version": "< 430"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2935791

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

36.1%

JSON

Related for CVELIST:CVE-2021-21444