CVE-2021-21470

Name of the Vulnerable Software and Affected Versions SAP EPM Add-in for Microsoft Office version 1010 SAP EPM Add-in for SAP Analysis Office version 2.8

Description The issue allows an authenticated attacker with user privileges to parse malicious XML files, potentially resulting in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs because the logging service does not disable XML external entities when parsing configuration files. A successful exploit would have limited impact on the integrity and availability of the application.

Recommendations For SAP EPM Add-in for Microsoft Office version 1010, update to a version that disables XML external entities in the logging service to prevent XXE-based attacks. For SAP EPM Add-in for SAP Analysis Office version 2.8, update to a version that disables XML external entities in the logging service to prevent XXE-based attacks. As a temporary workaround, consider restricting the parsing of XML configuration files to trusted sources until a patch is available.