CVE-2025-26662

{"id": "CVE-2025-26662", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.3}]}, "published": "2025-05-13T01:15:47.243", "references": [{"url": "https://me.sap.com/notes/3558755", "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "cna@sap.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim\ufffds browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted."}, {"lang": "es", "value": "Data Services Management Console no codifica adecuadamente las entradas controladas por el usuario, lo que permite a un atacante inyectar un script malicioso. Cuando una v\u00edctima, que ya ha iniciado sesi\u00f3n, hace clic en el enlace comprometido, el script inyectado se ejecuta en el navegador de la v\u00edctima. Esto podr\u00eda afectar la confidencialidad y la integridad. La disponibilidad no se ve afectada."}], "lastModified": "2025-05-13T19:35:25.503", "sourceIdentifier": "cna@sap.com"}