CVE-2021-33705
Description
The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SAP NetWeaver Portal versions 7.10-7.50 contain an SSRF vulnerability in the Iviews Editor component allowing unauthenticated attackers to make arbitrary requests via crafted URLs.
Vulnerability
The SAP NetWeaver Portal, versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50, contains a Server-Side Request Forgery (SSRF) vulnerability in the Iviews Editor component. An unauthenticated attacker can craft a malicious URL that, when clicked by a user, causes the server to make arbitrary requests (e.g., GET or POST) to internal or external servers [1].
Exploitation
An attacker needs to trick a user into clicking a crafted link. No authentication is required. The attacker can specify any target URL, and the server will issue the request as if from the Portal itself [1].
Impact
Successful exploitation allows the attacker to read or modify data accessible from the Portal, potentially including internal resources. The availability of the system is not affected [1].
Mitigation
SAP has released security patches for the affected versions (see SAP Security Note 3058580). Users should apply the patches as soon as possible. No workarounds are mentioned in the available reference [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50
- SAP SE/SAP NetWeaver Enterprise Portalv5Range: < 7.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- packetstormsecurity.com/files/165743/SAP-Enterprise-Portal-iviewCatcherEditor-Server-Side-Request-Forgery.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2022/Jan/72mitremailing-listx_refsource_FULLDISC
- launchpad.support.sap.commitrex_refsource_MISC
- wiki.scn.sap.com/wiki/pages/viewpage.actionmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.