CVE-2021-33672: Command Injection
First published: Tue Sep 14 2021(Updated: )
Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP Contact Center | =700 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-33672?
CVE-2021-33672 has a medium severity rating due to the potential for an attacker to execute malicious scripts.
How do I fix CVE-2021-33672?
To fix CVE-2021-33672, apply the latest SAP Contact Center updates that address the encoding vulnerabilities.
What is affected by CVE-2021-33672?
CVE-2021-33672 affects SAP Contact Center version 700, specifically in the Communication Desktop component.
What type of attack is related to CVE-2021-33672?
CVE-2021-33672 is associated with cross-site scripting (XSS) attacks via chat messages.
Who can exploit CVE-2021-33672?
CVE-2021-33672 can be exploited by attackers who send malicious chat messages to users of the SAP Contact Center.
- collector/nvd-index
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/sap
- canonical/sap contact center
- version/sap contact center/700