Impact
The vulnerability is a reflected cross‑site scripting flaw that allows an unauthenticated attacker to inject malicious scripts into a URL parameter. When a user follows the crafted link, the malicious code is echoed back in the response and runs in the victim’s browser, enabling theft of session cookies, alteration of portal content, or forced redirection. The official assessment indicates a low impact on confidentiality and integrity, with no availability effects.
Affected Systems
The affected product is SAP NetWeaver Enterprise Portal from SAP SE. Specific versions are not listed in the advisory data; therefore any instance of the Portal that may use the vulnerable code path could be affected.
Risk and Exploitability
The CVSS score of 6.1 classifies the flaw as medium severity, whereas the EPSS score is unavailable, making it unclear how frequently attackers might target it. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggerable through a URL parameter and requires no authentication, exploitation is straightforward for an unauthenticated attacker who can give a victim the crafted link.
OpenCVE Enrichment