Description
The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
Published: 2026-02-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side script injection (Cross‑Site Scripting) leading to data exposure
Action: Apply patch
AI Analysis

Impact

The vulnerable Business Service Portal applications allow an unauthenticated user to inject arbitrary script through URL parameters that are not properly sanitized. When a victim follows a crafted link, the script runs in the victim’s browser, potentially exposing confidential information that the victim’s session can access. Although the impact on application availability is negligible, the confidentiality and integrity of the victim’s data can be compromised.

Affected Systems

This flaw affects SAP Document Management System versions 600 through 617, the ERP product 618, and the SAP S/4HANA Core systems from 102 to 108, as indicated by the associated versioned CPE entries.

Risk and Exploitability

The CVSS score of 6.1 classifies it as moderate risk, and the EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The attack requires no privileged credentials; a malicious actor simply constructs a malicious URL and lures a user to it. If successful, the impact is limited to the client side, but the data accessed can be sensitive.

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the SAP security patch referenced in SAP Note 3678417 to remove the unsanitized URL parameters.
  • Configure input validation on the affected BSP application to whitelist accepted characters or patterns for URL parameters, ensuring that scripts cannot be injected.
  • Implement access controls to restrict who can execute the vulnerable endpoints, lowering the chance that an unauthenticated user can trigger the flaw.
  • If a patch cannot be applied immediately, disable or bypass the affected BSP modules and monitor for unauthorized access attempts.

Generated by OpenCVE AI on April 17, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap document Management System
Sap erp
Sap s4core
CPEs cpe:2.3:a:sap:document_management_system:600:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:602:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:603:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:604:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:605:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:606:*:*:*:*:*:*:*
cpe:2.3:a:sap:document_management_system:617:*:*:*:*:*:*:*
cpe:2.3:a:sap:erp:618:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:104:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:105:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:106:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:107:*:*:*:*:*:*:*
cpe:2.3:a:sap:s4core:108:*:*:*:*:*:*:*
Vendors & Products Sap
Sap document Management System
Sap erp
Sap s4core

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Sap Se
Sap Se sap Document Management System
Vendors & Products Sap Se
Sap Se sap Document Management System

Tue, 10 Feb 2026 03:45:00 +0000

Type Values Removed Values Added
Description The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
Title Multiple vulnerabilities in BSP Applications of SAP Document Management System
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Sap Document Management System Erp S4core
Sap Se Sap Document Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-02-10T16:22:54.274Z

Reserved: 2026-01-21T22:15:36.672Z

Link: CVE-2026-24323

cve-icon Vulnrichment

Updated: 2026-02-10T16:19:57.766Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T04:16:04.467

Modified: 2026-02-17T15:15:47.583

Link: CVE-2026-24323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:00:12Z

Weaknesses