Skip links

CVE-2021-21444 Clickjacking vulnerability in SAP Business Objects Business Intelligence Platform (CMC and BI Launchpad), SAP security note 2935791

Description

SAP Business Object allows multiple X-Frame-Options headers entries in the response headers, which may not be predictably treated by all user agents .This could, as a result, nullify the added XFO header leading to Clickjacking attack.

Available fix and Supported packages

  • ENTERPRISE | 410 | 410
  • ENTERPRISE | 420 | 420
  • ENTERPRISE | 430 | 430
  • SBOP BI PLATFORM SERVERS 4.1 | SP012 | 000800
  • SBOP BI PLATFORM SERVERS 4.2 | SP007 | 001200
  • SBOP BI PLATFORM SERVERS 4.2 | SP008 | 000300
  • SBOP BI PLATFORM SERVERS 4.2 | SP009 | 000000
  • SBOP BI PLATFORM SERVERS 4.3 | SP000 | 000100
  • SBOP BI PLATFORM SERVERS 4.3 | SP000 | 000500
  • SBOP BI PLATFORM SERVERS 4.3 | SP001 | 000000

Affected component

    BI-BIP-CMC
    Central Management Console (CMC)

CVSS

Score: 5.4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2935791

TAGS

#X-Frame-Options
#header
#Clickjacking
#CMC
#BI-Launchpad
#XFO
#browser
#user-agent
#response-header
#CVE-2021-21444

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error