The SAP Business One Job Service contains a DOM‑based Cross‑Site Scripting flaw caused by insufficient validation of user‑controlled input in a URL query parameter. An unauthenticated attacker can inject specially crafted data that will be processed when a user interacts with the affected page, potentially leading to the execution of malicious scripts in the victim’s browser session. The vulnerability is classified as CWE‑79, and the impact is limited to confidentiality and integrity via the compromise of session state, with no effect on availability.

The affected product is SAP Business One Job Service. No specific version information is available in the advisory; administrators should verify the presence of the flaw against their deployed instances.

The CVSS score of 6.1 indicates a moderate severity, reflecting the requirement of user interaction and the lack of direct remote code execution. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in CISA's catalog of known exploited vulnerabilities. The likely attack vector requires an unauthenticated attacker to craft a malicious URL that a user opens; the attacker cannot compromise the system without a victim’s interaction. Based on the provided data, continuous monitoring for the release of a vendor patch remains prudent.