CVE-2025-26662 Information

Description

The Data Services Management Console does not sufficiently encode user-controlled inputs allowing an attacker to inject malicious script. When a targeted victim who is already logged in clicks on the compromised link the injected script gets executed within the scope of victim?s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://me.sap.com/notes/3558755 https://url.sap/sapsecuritypatchday https://url.sap/sapsecuritypatchday

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.4