On 13.07.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within SAP Lumira Server .
SAP Note 3053403 addresses "[CVE-2021-33682] Cross-Site Scripting (XSS) vulnerability in SAP Lumira Server" to prevent cross-site scripting (xss) information disclosure with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationSAP Lumira Server does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability which would allow an authenticated attacker with basic privileges to store malicious script on the system.
The URL parameters are now properly encoded to prevent a successful XSS attack.
The advisory is valid for
- SAP_LUMIRA_SERVER_FOR_BIPLATFM 2.4