An unprivileged user can trigger an Open Redirect by visiting a specially crafted URL in the SAP Supplier Relationship Management SICF Handler that will redirect the victim to an attacker‑controlled site. The vulnerability does not compromise data integrity beyond redirection; confidentiality and availability remain unaffected. The principal risk is that users may be led to phishing or malicious sites, but the attack does not directly alter application data.

Version 700, 701, 702, 713, and 714 of SAP Supplier Relationship Management (SICF Handler in SRM Catalog) are affected. No detailed sub‑release information is available, but all installations of these major releases should be considered vulnerable until the SAP note 3638716 update is applied.

With a Base Score of 4.7, the CVSS profile places the issue in the Medium range. The EPSS value is reported as less than 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation at this time. Based on the description, the likely attack vector is an unauthenticated web request that a user clicks on or follows, leading to the redirection. The exploitation requires only delivery of a crafted URL and does not need credentials or privileged access.