RCE Security Advisory  
Product: SAP Knowledge Warehouse  
Vendor URL:  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2021-09-21  
Date published: 2022-03-17  
CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
CVE: CVE-2021-42063  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50  
The SAP Knowledge Warehouse (SAP KW) is the SAP Solution for all the   
material used in training, documentation and handbooks.  
(from the vendor's homepage)  
The endpoint at /SAPIrExtHelp is vulnerable to an unauthenticated  
reflected Cross-Site Scripting vulnerability when user-supplied input  
to the URI is processed by the web application. Since the application   
does not properly validate and sanitize this input, it is possible to   
place arbitrary script code onto the same page.  
The following Proof-of-Concept triggers this vulnerability:  
6. RISK  
To successfully exploit this vulnerability an unauthenticated or   
authenticated user must be tricked into visiting an arbitrary website  
/ link.  
The vulnerability can be used to temporarily embed arbitrary script   
code into the context of the web interface, which offers a wide range   
of possible attacks such as redirecting the user to a malicious page,   
spoofing content on the page or attacking the browser and its plugins.   
Update SAP Knowledge Warehouse to the latest version.  
2021-09-21: Discovery of the vulnerability  
2021-09-21: Contacted the vendor via their contact mail address  
2021-09-21: Vendor response  
2021-10-05: Requested status update from vendor  
2021-10-06: Vendor acknowledges the vulnerability  
2021-10-26: Requested status update from vendor  
2021-10-27: Vendor states that they are still working on the issue  
2021-11-04: CVE requested from SAP (responsible CNA)  
2021-11-10: Vendor refuses to assign a CVE because they only assign CVEs when a security fix gets released  
2021-11-10: Vendor asks not to disclose any details related to this bug by referring to their legal terms at   
2021-11-10: Complained about vendor's legal terms which hold researchers accountable for "any harm to SAP users"  
2021-11-10: Asked for the release date of the patch  
2021-11-10: Vendor refuses to provide the release date due to "legal perspectives"  
2021-11-10: Told the vendor that I do not agree to their legal terms and therefore all future vulnerabilities will be disclosed without prior notification  
2021-11-21: No vendor response  
2021-11-21: Asked for a status update  
2021-11-23: Vendor wants to have a phone call instead  
2021-11-23: Rejected the phone call due to their squishy legal terms  
2021-11-29: Vendor provides the assigned CVE-2021-42063  
2021-11-29: Vendor asks not to release any details until December patch day (14th)  
2021-12-13: Vendor provides information on the security note for December patch day  
2021-12-13: Vendor asks for a 3-month grace period before doing the disclosure  
2022-03-15: Sent notification about the upcoming public disclosure on 2022-03-17  
2022-03-17: Public disclosure