CVE-2021-33673

Name of the Vulnerable Software and Affected Versions: SAP Contact Center version 700

Description: The issue arises from insufficient encoding of user-controlled inputs, which are persisted. This allows an attacker to exploit a Stored Cross-Site Scripting (XSS) vulnerability when a user browses through the employee directory, enabling the execution of arbitrary code on the victim's browser. The application's use of ActiveX allows the attacker to further execute operating system level commands.

Recommendations: For SAP Contact Center version 700, consider disabling the usage of ActiveX in the application as a temporary workaround to minimize the risk of exploitation. Restrict access to the employee directory to prevent attackers from executing arbitrary code on the victim's browser. At the moment, there is no information about a newer version that contains a fix for this vulnerability.