Impact
The vulnerability allows an attacker to inject and execute malicious scripts within the SAP CRM WebClient UI because the application lacks a properly configured Content Security Policy. The absence of restrictive CSP directives permits client‑side script execution, which can tamper with the integrity of the application’s data or interface, although it does not affect confidentiality or availability. The weakness is identified as improper restriction of operations.
Affected Systems
SAP SE’s SAP CRM WebClient UI is affected. No specific version information is provided, so any deployment of this product should be examined for the missing CSP configuration.
Risk and Exploitability
With a CVSS score of 4.1, the severity is low. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through a web page or component served by the WebClient UI; an attacker with access to the application could supply a malicious script payload via input fields or URLs. Exploitation requires the presence of the vulnerable UI and the absence of a blocking CSP policy.
OpenCVE Enrichment