A note with CVSS 3.4 for component BC-FES-CTL was released by SAP on 11.05.2021. The correction/advisory 3023078 was described with "[CVE-2021-27612] SAP GUI for Windows is vulnerable to redirect users to an untrusted website" and affects the system type SAP GUI / Frontend.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process .
The vulnerability addressed is insufficient security function within SAP GUI / Frontend.
Risk specificationSAP GUI for Windows forwards users to a malicious website containing malware or leads to phishing attacks.
When a user is directed to an external website and declines to download content an empty page will be displayed correctly.
The advisory is valid for
- BC-FES-GUI 7.60 2
- BC-FES-GUI 7.70
- 6.3 [CVE-2021-21472] Server password not set during installation of SAP NetWeaver Master Data Management 7.1
- 5.4 [CVE-2020-6178] Insufficient session expiration in SAP Enable Now Manager
- 3.8 [CVE-2020-6197] Insufficient session expiration in SAP Enable Now Manager
- 3.7 [CVE-2020-6363] Insufficient Session Expiration in SAP Commerce Cloud
- 3.5 [CVE-2021-33689] Insufficient Logging in SAP NetWeaver AS for JAVA (Administrator)