On 14.09.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within BCM platform.
SAP Note 3073891 addresses "[CVE-2021-33672] Multiple vulnerabilities in SAP Contact Center" to prevent os command injectioncross-site scripting (xss) with a hot news risk for exploitation.
A workaround does exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specificationMultiple Security vulnerabilities allow an attacker with administrative privileges to inject code or perform a cross-site-scripting vulnerability.
Proper encoding of content has been implemented preventing OS command injection and Cross-Site Scripting (XSS). Circumstances exist that prevent the timely installation of a patch provided by the manufacturer. In such cases, you may consider applying the suggested workaround as a temporary or compensating mitigation: "Customers who do not wish to install the patch yet, can use a workaround to remediate this vulnerability that are described in the note.".
The advisory is valid for
- BCM 700