CVE-2021-33672

Name of the Vulnerable Software and Affected Versions: SAP Contact Center's Communication Desktop component version 700

Description: The issue arises from missing encoding in the Communication Desktop component, allowing an attacker to send malicious scripts via chat messages. When a recipient accepts the message, the script executes in their scope. The application's use of ActiveX enables the attacker to execute operating system level commands, potentially compromising the recipient's confidentiality and integrity, and temporarily impacting their availability.

Recommendations: For version 700, consider disabling the usage of ActiveX in the application as a temporary workaround to minimize the risk of exploitation. Additionally, restrict the execution of scripts in chat messages to prevent operating system level commands from being executed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.