{"vulnerability": "CVE-2021-3370", "sightings": [{"uuid": "fe0dc924-e08a-4c6d-8f81-7110fb771a8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33705", "type": "seen", "source": "https://t.me/cibsecurity/28937", "content": "\u203c CVE-2021-33705 \u203c\n\nThe SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-15T22:22:05.000000Z"}, {"uuid": "fb940afd-4462-427f-94b5-f7e6ef7ff49b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33701", "type": "seen", "source": "https://t.me/true_secator/2000", "content": "\u200b\u200b\u0410 \u043c\u044b \u0437\u043d\u0430\u0435\u043c, \u043a\u0430\u043a \u044d\u0442\u0438 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0440\u043e\u0439\u0434\u0443\u0442 \u0443 IT \u0432 \u043a\u0440\u0443\u043f\u043d\u043e\u043c \u0441\u0435\u043a\u0442\u043e\u0440\u0435 \u044d\u043a\u043e\u043d\u043e\u043c\u0438\u043a\u0438.\n\n\u041d\u0435\u043c\u0435\u0446\u043a\u0438\u0439 \u0433\u0438\u0433\u0430\u043d\u0442 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043f\u0440\u0435\u0434\u043f\u0440\u0438\u044f\u0442\u0438\u0439 SAP \u0432\u044b\u043f\u0443\u0441\u0442\u0438\u043b \u0432\u043d\u0443\u0448\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u043f\u0430\u0442\u0447 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439, \u0437\u0430\u043a\u0440\u044b\u0432 9 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0438 \u043e\u0441\u043e\u0431\u043e \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u044b\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439. \u0412\u0430\u0436\u043d\u044b\u0435:\n\n- CVE-2021-33698: \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0439 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u043e\u0439 \u0444\u0430\u0439\u043b\u043e\u0432 \u0432 SAP Business One. \u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u043b\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f, \u0447\u0442\u043e \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u0430\u0433\u0430\u0435\u0442 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430.\n\n- CVE-2021-33690: \u043f\u043e\u0434\u0434\u0435\u043b\u043a\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 SSRF, \u0432\u043b\u0438\u044f\u044e\u0449\u0430\u044f \u043d\u0430 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 NetWeaver. \u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0434\u043b\u044f \u043f\u0440\u043e\u043a\u0441\u0438-\u0430\u0442\u0430\u043a, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044f \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b, \u0438 \u0435\u0441\u043b\u0438 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u044d\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0432 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0435, \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435, \u043d\u0430\u0445\u043e\u0434\u044f\u0449\u0438\u0435\u0441\u044f \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435, \u0438 \u043f\u043e\u0432\u043b\u0438\u044f\u0442\u044c \u043d\u0430 \u0438\u0445 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c.\n\n- CVE-2021-33701: SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e \u0432 \u0441\u0435\u0440\u0432\u0438\u0441\u0435 SAP NZDT (Near Zero Downtime Technology), \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u043e\u043c S / 4HANA \u0438 \u043c\u043e\u0431\u0438\u043b\u044c\u043d\u044b\u043c \u043f\u043b\u0430\u0433\u0438\u043d\u043e\u043c DMIS.\n\n\u0414\u0440\u0443\u0433\u0438\u0435 (\u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0441\u0442\u0435\u043f\u0435\u043d\u0438 \u0441\u0435\u0440\u044c\u0435\u0437\u043d\u043e\u0441\u0442\u0438): \n- \u041e\u0448\u0438\u0431\u043a\u0438 \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0430 (XSS): \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 XSS \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442 \u0432\u043d\u0435\u0434\u0440\u044f\u0442\u044c \u043a\u043e\u0434 JavaScript \u043d\u0430  \u0441\u0435\u0440\u0432\u043b\u0435\u0442-\u043f\u043e\u0440\u0442\u0430\u043b\u044b \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u0435\u0433\u043e \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0436\u0435\u0440\u0442\u0432\u044b. \n- \u0411\u0430\u0433\u0430 \u0432 SSRF \u0432 NetWeaver Enterprise Portal: \u043e\u0448\u0438\u0431\u043a\u0430 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0434\u0435\u043b\u0430\u0442\u044c \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043a \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u0438\u043b\u0438 \u0432\u043d\u0435\u0448\u043d\u0438\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c, \u0437\u0430\u0441\u0442\u0430\u0432\u043b\u044f\u044f \u0446\u0435\u043b\u0435\u0432\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0449\u0435\u043b\u043a\u043d\u0443\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0443\u044e \u0441\u0441\u044b\u043b\u043a\u0443.\n- \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u044e\u0449\u0443\u044e \u0432\u0441\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u044b SAP, \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 Web Dispatcher.\n- \u041e\u0448\u0438\u0431\u043a\u0430 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0430 \u0437\u0430\u0434\u0430\u0447\u0438 \u0432 \u043c\u043e\u0431\u0438\u043b\u044c\u043d\u043e\u043c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0438 Fiori Client \u0434\u043b\u044f Android.\n- \u041e\u0448\u0438\u0431\u043a\u0430 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0432 SAP Business One.\n\n\u041f\u043e \u043e\u0446\u0435\u043d\u043a\u0430\u043c \u044d\u043a\u0441\u043f\u0435\u0440\u0442\u043e\u0432, \u0442\u0435\u043a\u0443\u0449\u0438\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f SAP (\u0441\u0447\u0438\u0442\u0430\u044f \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f HotNews \u0438 High Priority) \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0441\u0430\u043c\u044b\u043c\u0438 \u043c\u0430\u0441\u0448\u0442\u0430\u0431\u043d\u044b\u043c\u0438 \u0432 \u044d\u0442\u043e\u043c \u0433\u043e\u0434\u0443. \n\n\u041e\u0441\u043e\u0431\u043e\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435 \u043a \u043d\u0438\u043c \u0441\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u044b \u0445\u0430\u043a\u043f\u043e\u0434\u043f\u043e\u043b\u044c\u044f \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0438 \u043e\u0441\u043e\u0431\u044b\u0445 \u0443\u0441\u0438\u043b\u0438\u0439 \u043e\u0442 IT. \u0412\u0435\u0434\u044c \u0432\u044b\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u043d\u0438\u0435 \u0432\u0435\u043a\u0442\u043e\u0440\u0430 \u043f\u043e\u0434 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043a\u0430\u043a \u043c\u044b \u043f\u043e\u043c\u043d\u0438\u043c, \u0437\u0430\u043d\u0438\u043c\u0430\u0435\u0442 \u0432\u0441\u0435\u0433\u043e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u0432\u044b\u043f\u0443\u0441\u043a\u0430 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0439.", "creation_timestamp": "2021-08-13T13:57:06.000000Z"}, {"uuid": "a02f2f32-eb78-4944-9b56-62dc238077b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33704", "type": "seen", "source": "https://t.me/cibsecurity/28948", "content": "\u203c CVE-2021-33704 \u203c\n\nThe Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-09-15T22:22:23.000000Z"}, {"uuid": "c461a223-4981-40a2-8584-f7770fee32ee", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33703", "type": "seen", "source": "https://t.me/cibsecurity/27065", "content": "\u203c CVE-2021-33703 \u203c\n\nUnder certain conditions, NetWeaver Enterprise Portal, versions - 7.30, 7.31, 7.40, 7.50, does not sufficiently encode URL parameters. An attacker can craft a malicious link and send it to a victim. A successful attack results in Reflected Cross-Site Scripting (XSS) vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-10T18:37:19.000000Z"}, {"uuid": "83cea1f0-9391-4c87-9ff2-377f550e937a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33707", "type": "seen", "source": "https://t.me/cibsecurity/27064", "content": "\u203c CVE-2021-33707 \u203c\n\nSAP NetWeaver Knowledge Management allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via a URL stored in a component. This could enable the attacker to compromise the user's confidentiality and integrity.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-10T18:37:18.000000Z"}, {"uuid": "dcd62d6b-736f-4a06-99c8-b305cff36d0e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33706", "type": "seen", "source": "https://t.me/cibsecurity/27073", "content": "\u203c CVE-2021-33706 \u203c\n\nDue to improper input validation in InfraBox, logs can be modified by an authenticated user.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-10T18:37:31.000000Z"}, {"uuid": "90e7c8c3-19e7-4467-8701-9d0ec64f2620", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33702", "type": "seen", "source": "https://t.me/cibsecurity/27071", "content": "\u203c CVE-2021-33702 \u203c\n\nUnder certain conditions, NetWeaver Enterprise Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode report data. An attacker can craft malicious data and print it to the report. In a successful attack, a victim opens the report, and the malicious script gets executed in the victim's browser, resulting in a Stored Cross-Site Scripting (XSS) vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-10T18:37:28.000000Z"}, {"uuid": "460b78b8-0bad-44b7-94fe-3bd72b300773", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-33708", "type": "seen", "source": "https://t.me/cibsecurity/27092", "content": "\u203c CVE-2021-33708 \u203c\n\nDue to insufficient input validation in Kyma, authenticated users can pass a Header of their choice and escalate privileges.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2021-08-11T00:37:30.000000Z"}]}