CVE Vulnerability

CVE-2021-21470

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.

3.6 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

4.4 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 Vendor Advisory
https://launchpad.support.sap.com/#/notes/3000291 Permissions Required
Configurations

Configuration 1

cpe:2.3:a:sap:enterprise_performance_management:1010:*:*:*:*:microsoft_office:*:*
cpe:2.3:a:sap:enterprise_performance_management:2.8:*:*:*:*:sap_analysis_office:*:*
Information

Published : 2021-01-12 03:15

Updated : 2021-01-14 04:15

NVD link : CVE-2021-21470

Mitre link : CVE-2021-21470

Products Affected
No products.
CWE
CWE-611

Improper Restriction of XML External Entity Reference