CVE-2021-33707

Description

SAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

SAP_SE / SAP NetWeaver (Knowledge Management)< 7.30 – < 7.30
SAP_SE / SAP NetWeaver (Knowledge Management)< 7.31 – < 7.31
SAP_SE / SAP NetWeaver (Knowledge Management)< 7.40 – < 7.40
SAP_SE / SAP NetWeaver (Knowledge Management)< 7.50 – < 7.50

References

MISChttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
MISChttps://launchpad.support.sap.com/#/notes/3076399
MAILING_LISThttp://seclists.org/fulldisclosure/2022/Jan/73
EXPLOIThttp://packetstormsecurity.com/files/165748/SAP-Enterprise-Portal-Open-Redirect.html