{"api_version":"1","generated_at":"2026-05-06T14:43:51+00:00","cve":"CVE-2021-33694","urls":{"html":"https://cve.report/CVE-2021-33694","api":"https://cve.report/api/cve/CVE-2021-33694.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-33694","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-33694"},"summary":{"title":"CVE-2021-33694","description":"SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.","state":"PUBLIC","assigner":"cna@sap.com","published_at":"2021-09-15 19:15:00","updated_at":"2021-09-28 14:39:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://launchpad.support.sap.com/#/notes/3058553","name":"https://launchpad.support.sap.com/#/notes/3058553","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806","name":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806","refsource":"MISC","tags":[],"title":"SAP Security Patch Day – August 2021 - Product Security Response at SAP - Community Wiki","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-33694","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-33694","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"33694","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"sap","cpe5":"cloud_connector","cpe6":"2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-33694","ASSIGNER":"cna@sap.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"SAP SE","product":{"product_data":[{"product_name":"SAP Cloud Connector","version":{"version_data":[{"version_name":"<","version_value":"2.0"}]}}]}}]}},"description":{"description_data":[{"lang":"eng","value":"SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting."}]},"impact":{"cvss":{"baseScore":"5.9","vectorString":"CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]},"references":{"reference_data":[{"url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806","refsource":"MISC","name":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=582222806"},{"url":"https://launchpad.support.sap.com/#/notes/3058553","refsource":"MISC","name":"https://launchpad.support.sap.com/#/notes/3058553"}]}},"nvd":{"publishedDate":"2021-09-15 19:15:00","lastModifiedDate":"2021-09-28 14:39:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.7,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:sap:cloud_connector:2.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"33694","Ordinal":"209105","Title":"CVE-2021-33694","CVE":"CVE-2021-33694","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"33694","Ordinal":"1","NoteData":"SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"33694","Ordinal":"2","NoteData":"2021-09-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"33694","Ordinal":"3","NoteData":"2021-09-15","Type":"Other","Title":"Modified"}]}}}