VDB
CVE-2021-37531
CVE-2021-37531
PUBLISHED
CVSS 9.899999618530273 CRITICAL
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.
EPSS 4.23% · 88.9th percentile
Risk Scores
CVSS v3.0
9.899999618530273
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
4.23%
88.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SAP SE | SAP NetWeaver Knowledge Management XML Forms | < 7.50, < 7.10, < 7.11 |
| sap | netweaver_knowledge_management_xml_forms | 7.10, 7.11, 7.30 |
Timeline
- Sep 14, 2021 CVE Published
- Sep 15, 2021 EPSS Score
- Nov 11, 2021 EPSS Score
- Jan 8, 2022 EPSS Score
- Jan 27, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 6, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jun 29, 2022 EPSS Score
- Aug 26, 2022 EPSS Score
- Oct 23, 2022 EPSS Score
- Feb 15, 2023 EPSS Score
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 advisory
- https://launchpad.support.sap.com/#/notes/3081888 url
- 20220126 Onapsis Security Advisory 2021-0026: SAP Enterprise Portal - XSLT injection mailing-list
- http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.html url
- https://nvd.nist.gov/vuln/detail/CVE-2021-37531 advisory