{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0489", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:32.759Z", "datePublished": "2026-03-10T00:17:01.649Z", "dateUpdated": "2026-03-10T16:53:45.896Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:17:01.649Z"}, "title": "DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service)", "problemTypes": [{"descriptions": [{"lang": "eng", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation", "type": "CWE"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Business One (Job Service)", "versions": [{"status": "affected", "version": "B1_ON_HANA 10.0"}, {"status": "affected", "version": "SAP-M-BO 10.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability.</p>"}]}], "references": [{"url": "https://me.sap.com/notes/3693543"}, {"url": "https://url.sap/sapsecuritypatchday"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:36:15.803682Z", "id": "CVE-2026-0489", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T16:53:45.896Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0489", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T15:36:15.803682Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:36:16.863Z"}}], "cna": {"title": "DOM-based Cross-Site Scripting (XSS) Vulnerability in SAP Business One (Job Service)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Business One (Job Service)", "versions": [{"status": "affected", "version": "B1_ON_HANA 10.0"}, {"status": "affected", "version": "SAP-M-BO 10.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3693543"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-03-10T00:17:01.649Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0489", "state": "PUBLISHED", "dateUpdated": "2026-03-10T16:53:45.896Z", "dateReserved": "2025-12-09T22:06:32.759Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-03-10T00:17:01.649Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to insufficient validation of user-controlled input in the URLs query parameter. SAP Business One Job Service could allow an unauthenticated attacker to inject specially crafted input which upon user interaction could result in a DOM-based Cross-Site Scripting (XSS) vulnerability. This issue had a low impact on the confidentiality and integrity of the application with no impact on availability."}], "id": "CVE-2026-0489", "lastModified": "2026-03-11T13:53:47.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-03-10T17:31:05.073", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3693543"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "B1_ON_HANA 10.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP-M-BO 10.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SAP Business One (Job Service)", "source": "cna", "vendor": "SAP_SE"}, "product": "sap_business_one_(job_service)", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T11:47:04.043755+00:00", "value": {"mitigation_remediation": ["Apply the latest SAP Business One Job Service security patch as distributed by SAP (see SAP Note 3693543 or the official SAP security patch day releases).", "Ensure that all URL query parameters are properly sanitized and that stored or reflected values are escaped before being embedded in the DOM.", "Restrict or disable unauthenticated access to the Job Service endpoint where feasible, or enforce role\u2011based access controls to limit exposure."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected product is SAP Business One Job Service. No specific version information is available in the advisory; administrators should verify the presence of the flaw against their deployed instances.", "description_and_impact": "The SAP Business One Job Service contains a DOM\u2011based Cross\u2011Site Scripting flaw caused by insufficient validation of user\u2011controlled input in a URL query parameter. An unauthenticated attacker can inject specially crafted data that will be processed when a user interacts with the affected page, potentially leading to the execution of malicious scripts in the victim\u2019s browser session. The vulnerability is classified as CWE\u201179, and the impact is limited to confidentiality and integrity via the compromise of session state, with no effect on availability.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity, reflecting the requirement of user interaction and the lack of direct remote code execution. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in CISA's catalog of known exploited vulnerabilities. The likely attack vector requires an unauthenticated attacker to craft a malicious URL that a user opens; the attacker cannot compromise the system without a victim\u2019s interaction. Based on the provided data, continuous monitoring for the release of a vendor patch remains prudent."}}}}, "created": "2026-03-10T14:06:20.523806+00:00", "updated": "2026-04-17T12:00:11.723874+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_business_one_(job_service)"]}