Multiple Vulnerabilities in SAP Products

Published on 11 Aug 2021

Updated on 11 Aug 2021

SAP has released security patches to address several vulnerabilities in their products. They are listed in the table below.

A few of the vulnerabilities have been classified as high in severity. Administrators of affected products are advised to prioritise the patching of these vulnerabilities.

CVE Number CVE Name Base Score
CVE-2021-33698 Unrestricted File Upload vulnerability in SAP Business One  9.9
CVE-2021-33690    Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)  9.9
CVE-2021-33701 SQL Injection vulnerability in SAP NZDT Row Count Reconciliation  9.1
CVE-2021-33705 Server-Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Enterprise Portal  8.1
CVE-2021-33700 Missing Authentication check in SAP Business One  7
CVE-2021-33691 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Notification Service)  6.9
CVE-2021-33695 Multiple Vulnerabilities in SAP Cloud Connector  6.8
CVE-2021-33704 Missing Authorisation Check in SAP Business One (Service Layer)  6.3
CVE-2021-21473 Missing Authorisation check in SAP NetWeaver AS ABAP and ABAP Platform  6.3
CVE-2021-33696 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Crystal Report)  5.4
CVE-2021-33697 Reverse Tabnabbing in SAP BusinessObjects Business Intelligence Platform (SAP UI5)  4.7

For the full list of security patches released by SAP, please refer to:
https://wiki.scn.sap.com/wiki/plugins/servlet/mobile?contentId=582222806#content/view/582222806