{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T10:35:03.916","vulnerabilities":[{"cve":{"id":"CVE-2021-21470","sourceIdentifier":"cna@sap.com","published":"2021-01-12T15:15:16.250","lastModified":"2024-11-21T05:48:26.257","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in for SAP Analysis Office, version - 2.8, allows an authenticated attacker with user privileges to parse malicious XML files which could result in XXE-based attacks in applications that accept attacker-controlled XML configuration files. This occurs as logging service does not disable XML external entities when parsing configuration files and a successful exploit would result in limited impact on integrity and availability of the application."},{"lang":"es","value":"SAP EPM Add-in para Microsoft Office, versión - 1010 y SAP EPM Add-in para SAP Analysis Office, versión - 2.8, permiten a un atacante autenticado con privilegios de usuario analizar archivos XML maliciosos que podrían resultar en ataques basados en XXE en aplicaciones que aceptan archivos de configuración XML controlados por atacantes. Esto ocurre porque el servicio de registro no deshabilita las entidades externas XML al analizar los archivos de configuración y una explotación con éxito podría resultar en un impacto limitado en la integridad y disponibilidad de la aplicación"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":4.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.8,"impactScore":2.5}],"cvssMetricV30":[{"source":"cna@sap.com","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":3.6,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.0,"impactScore":2.5}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:P/A:P","baseScore":3.6,"accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"LOW","exploitabilityScore":3.9,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-611"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sap:enterprise_performance_management:2.8:*:*:*:*:sap_analysis_office:*:*","matchCriteriaId":"7E15537F-58BC-44AB-B6F0-512BB50DACB9"},{"vulnerable":true,"criteria":"cpe:2.3:a:sap:enterprise_performance_management:1010:*:*:*:*:microsoft_office:*:*","matchCriteriaId":"4016290E-B9D6-414B-A17F-D330A1FDF3E0"}]}]}],"references":[{"url":"https://launchpad.support.sap.com/#/notes/3000291","source":"cna@sap.com","tags":["Permissions Required"]},{"url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476","source":"cna@sap.com","tags":["Vendor Advisory"]},{"url":"https://launchpad.support.sap.com/#/notes/3000291","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Permissions Required"]},{"url":"https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564760476","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}