CVE Vulnerability

CVE-2021-33672

Due to missing encoding in SAP Contact Center's Communication Desktop component- version 700, an attacker could send malicious script in chat message. When the message is accepted by the chat recipient, the script gets executed in their scope. Due to the usage of ActiveX in the application, the attacker can further execute operating system level commands in the chat recipient's scope. This could lead to a complete compromise of their confidentiality, integrity, and could temporarily impact their availability.

9.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

9.6 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://launchpad.support.sap.com/#/notes/3073891 Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405 Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:sap:contact_center:700:*:*:*:*:*:*:*
Information

Published : 2021-09-14 12:15

Updated : 2021-09-24 02:55

NVD link : CVE-2021-33672

Mitre link : CVE-2021-33672

Products Affected
No products.
CWE
CWE-116

Improper Encoding or Escaping of Output