CRITICAL🇵🇱 Wersja polska

CVE-2021-33701

CVSS 9.1v3.1pub. 2021-09-15upd. 2024-11-21

DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Sap Dmis

    APP
    Sap
    2011_1_6202011_1_6402011_1_7002011_1_7102011_1_7302011_1_7312011_1_7522020125710
  • Sap S4core

    APP
    Sap
    102103104105
  • Sap Sapscore

    APP
    Sap
    125
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2024-39592HIGH7.7ten sam produkt

Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escal...

CVE-2018-2484HIGH8.8ten sam produkt

SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.1...

CVE-2026-23688MEDIUM4.3ten sam produkt

SAP Fiori App Manage Service Entry Sheets does not perform necessary authorization checks for an authenticated...

CVE-2026-0505MEDIUM6.1ten sam produkt

The BSP applications allow an unauthenticated user to manipulate user-controlled URL parameters that are not s...

CVE-2026-24323MEDIUM6.1ten sam produkt

The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL ...