CVE-2021-21470

MEDIUM

SAP EPM Add-in 1010 & SAP Analysis Office 2.8 - Authenticated XXE in Logging Service

Title source: llm

Description

SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476

Permissions Required x_refsource_misc

https://launchpad.support.sap.com/#/notes/3000291

Scores

CVSS v3 4.4

EPSS 0.0004

EPSS Percentile 14.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-611

Status published

Products (2)

sap/enterprise_performance_management 2.8

sap/enterprise_performance_management 1010

Published Jan 12, 2021

Tracked Since Feb 18, 2026