Impact
The vulnerability is a reflected Cross‑Site Scripting in the Configuration Wizard of SAP NetWeaver Application Server Java. An attacker who can construct a specially‑crafted URL can cause arbitrary JavaScript to run in a victim’s browser. If the victim is authenticated to the application, the script can read cookie‑based session tokens and other sensitive client‑side data, enabling session hijacking or other data‑exfiltration. The flaw is a classic input‑validation weakness identified by CWE‑79 and results in a high impact on confidentiality with no impact on availability.
Affected Systems
The affected product is SAP NetWeaver Application Server Java, specifically its Configuration Wizard component. The vulnerability exists in all unpatched installations that still expose the wizard via HTTP(S).
Risk and Exploitability
The CVSS score of 8.2 indicates a high‑severity risk. Because the flaw can be triggered by an unauthenticated user through a crafted URL, an attacker may exploit it from any network location that can reach the wizard endpoint. EPSS data is not available, but the lack of listing in CISA KEV means there is no known active exploitation at this time. Still, the vulnerability’s high score and the ease of tricking a user into visiting the malicious link point to a significant risk that warrants prompt remediation.
OpenCVE Enrichment