A note with CVSS 6.9 for component BC-CTS-DI was released by SAP on 10.08.2021. The correction/advisory 3073450 was described with "[CVE-2021-33691] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is cross-site scripting (xss) within Java.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP NetWeaver Development Infrastructure Notification Service does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The user input is now properly encoded to prevent a successful XSS attack.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- DI_NTY 7.30
- DI_NTY 7.31
- DI_NTY 7.40
- DI_NTY 7.50
- 8.7 [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface)
- 8.3 [CVE-2021-33703] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.3 [CVE-2021-33702] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
- 8.2 [CVE-2023-33991] Stored Cross-Site Scripting vulnerability in SAP UI5 (Variant Management)
- 8.0 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce