← back
CVE-2021-37531

CVE-2021-37531

CVSS 9.9 CRITICALEPSS 3.1%
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
SAP SE · SAP NetWeaver Knowledge Management XML Forms
public PoCs found1
cve_referencepacketstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/165751/SAP-Enterprise-Portal-XSLT-Injection.htmlhttp://seclists.org/fulldisclosure/2022/Jan/75https://launchpad.support.sap.com/#/notes/3081888https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=585106405