CVE-2026-24323
MEDIUM WAF: Medium
CVSS 6.1
Published: 2026-02-10
CWE-601
The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim�s browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.
WAF Coverage Analysis
Open Redirect
Medium WAF Coverage
OWASP: A01:2021 Broken Access Control
941xxx - XSS / XXE
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sap | document_management_system | 600 |
| sap | document_management_system | 602 |
| sap | document_management_system | 603 |
| sap | document_management_system | 604 |
| sap | document_management_system | 605 |
| sap | document_management_system | 606 |
| sap | document_management_system | 617 |
| sap | erp | 618 |
| sap | s4core | 102 |
| sap | s4core | 103 |
References
- me.sap.com (Permissions Required)
- url.sap (Vendor Advisory)