#VU55840 Reverse Tabnabbing in SAP BusinessObjects Business Intelligence suite - CVE-2021-33697


Vulnerability identifier: #VU55840

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-33697

CWE-ID: CWE-1022

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP BusinessObjects Business Intelligence suite
Server applications / Other server solutions

Vendor: SAP

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists within SAPUI5 SDK. A remote attacker can trick the victim to inject a malicious link and change contents of the pages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP BusinessObjects Business Intelligence suite: 4.2 - 4.3

External links
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806
https://launchpad.support.sap.com/#/notes/3063048

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Spoofing attack in SAP BusinessObjects Business Intelligence suite