CVE-2021-37531

Name of the Vulnerable Software and Affected Versions SAP NetWeaver Knowledge Management XML Forms versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50

Description The issue allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands. The attacker can copy this file into a location accessible by the system and then create a file that triggers the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.

Recommendations For SAP NetWeaver Knowledge Management XML Forms versions 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, consider disabling the XSLT engine or restricting access to it until a patch is available. As a temporary workaround, avoid using the XSLT functionality in the affected versions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.