Lucene search

SapCVELIST:CVE-2021-33672

HistorySep 14, 2021 - 11:21 a.m.

CVE-2021-33672

2021-09-1411:21:48

sap

www.cve.org

sap contact center

communication desktop

malicious script

operating system

confidentiality

integrity

availability

activex

cve-2021-33672

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

60.1%

JSON

Due to missing encoding in SAP Contact Center’s Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient’s scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.

CNA Affected

[
  {
    "product": "SAP Contact Center",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 700"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/3073891

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

60.1%

JSON

Related for CVELIST:CVE-2021-33672