// For flags

CVE-2021-21470

 

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.

SAP EPM Add-in para Microsoft Office, versión - 1010 y SAP EPM Add-in para SAP Analysis Office, versión - 2.8, permiten a un atacante autenticado con privilegios de usuario analizar archivos XML maliciosos que podrían resultar en ataques basados en XXE en aplicaciones que aceptan archivos de configuración XML controlados por atacantes. Esto ocurre porque el servicio de registro no deshabilita las entidades externas XML al analizar los archivos de configuración y una explotación con éxito podría resultar en un impacto limitado en la integridad y disponibilidad de la aplicación

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-30 CVE Reserved
  • 2021-01-12 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476 2021-01-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sap
Search vendor "Sap"
 Enterprise Performance Management
Search vendor "Sap" for product "Enterprise Performance Management"
 2.8
Search vendor "Sap" for product "Enterprise Performance Management" and version "2.8"
sap_analysis_office
Affected
Sap
Search vendor "Sap"
 Enterprise Performance Management
Search vendor "Sap" for product "Enterprise Performance Management"
 1010
Search vendor "Sap" for product "Enterprise Performance Management" and version "1010"
microsoft_office
Affected