#VU50450 Reverse Tabnabbing in SAPUI5 - CVE-2021-21476


Vulnerability identifier: #VU50450

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-21476

CWE-ID: CWE-1022

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAPUI5
Universal components / Libraries / Software for developers

Vendor: SAP

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists within SAPUI5 SDK. A remote attacker can trick the victim to inject a malicious link and change contents of the pages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAPUI5: 1.38.49 - 1.86.1

External links
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543
https://launchpad.support.sap.com/#/notes/3014303

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Reverse tabnabbing in SAP SAPUI5