{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24323", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2026-01-21T22:15:36.672Z", "datePublished": "2026-02-10T03:04:11.848Z", "dateUpdated": "2026-02-10T16:22:54.274Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Document Management System", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_APPL 618"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}, {"status": "affected", "version": "617"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.</p>"}], "value": "The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:11.848Z"}, "references": [{"url": "https://me.sap.com/notes/3678417"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T16:19:53.737158Z", "id": "CVE-2026-24323", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:22:54.274Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24323", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T16:19:53.737158Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:19:57.766Z"}}], "cna": {"title": "Multiple vulnerabilities in BSP Applications of SAP Document Management System", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Document Management System", "versions": [{"status": "affected", "version": "SAP_APPL 618"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}, {"status": "affected", "version": "617"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3678417"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.", "supportingMedia": [{"type": "text/html", "value": "<p>The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-02-10T03:04:11.848Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24323", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:22:54.274Z", "dateReserved": "2026-01-21T22:15:36.672Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-02-10T03:04:11.848Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:document_management_system:600:*:*:*:*:*:*:*", "matchCriteriaId": "FD522469-1153-4A3C-9271-2338A5674BDA", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:602:*:*:*:*:*:*:*", "matchCriteriaId": "D355E922-5592-41C7-ACE4-311044B9E8C3", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:603:*:*:*:*:*:*:*", "matchCriteriaId": "1E8A41C8-812E-4319-B515-CF9F030DAA19", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:604:*:*:*:*:*:*:*", "matchCriteriaId": "4B470B7D-486C-43B0-B9B0-AC0A16034A01", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:605:*:*:*:*:*:*:*", "matchCriteriaId": "0024390E-91C7-48B5-8E04-265E9E6D4E75", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:606:*:*:*:*:*:*:*", "matchCriteriaId": "133C3E0D-2D67-479A-A678-07EB04244BCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:document_management_system:617:*:*:*:*:*:*:*", "matchCriteriaId": "D7E1D717-FA00-47D5-94B6-E818848890C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:erp:618:*:*:*:*:*:*:*", "matchCriteriaId": "4573BD22-D50B-431E-928A-C495E342D1AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:102:*:*:*:*:*:*:*", "matchCriteriaId": "04C95A73-48EB-446C-A5F0-20E1D6BC1779", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:103:*:*:*:*:*:*:*", "matchCriteriaId": "1C3C9003-68A6-4886-8979-9B7D01A35E40", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:104:*:*:*:*:*:*:*", "matchCriteriaId": "964023CE-6EA4-42BB-93B2-DCE6B36D3F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:105:*:*:*:*:*:*:*", "matchCriteriaId": "84B775EF-6C11-4FAB-B5E7-8F6C4C5674BE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:106:*:*:*:*:*:*:*", "matchCriteriaId": "14D17245-5B6D-4024-AFA6-8E0A70B294BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:107:*:*:*:*:*:*:*", "matchCriteriaId": "5DEFABE8-1797-4C7B-941C-3205AE90914B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:s4core:108:*:*:*:*:*:*:*", "matchCriteriaId": "78832FB6-B1DD-4516-B1DF-D90BB58BF25A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The BSP applications allow an unauthenticated user to inject malicious script content via user-controlled URL parameters that are not sufficiently sanitized. When a victim accesses a crafted URL, the injected script is executed in the victim\ufffds browser, leading to a low impact on confidentiality and integrity, and no impact on the availability of the application."}, {"lang": "es", "value": "Las aplicaciones BSP permiten a un usuario no autenticado inyectar contenido de script malicioso a trav\u00e9s de par\u00e1metros de URL controlados por el usuario que no est\u00e1n suficientemente saneados. Cuando una v\u00edctima accede a una URL manipulada, el script inyectado se ejecuta en el navegador de la v\u00edctima, lo que conlleva un impacto bajo en la confidencialidad y la integridad, y ning\u00fan impacto en la disponibilidad de la aplicaci\u00f3n."}], "id": "CVE-2026-24323", "lastModified": "2026-02-17T15:15:47.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-02-10T04:16:04.467", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://me.sap.com/notes/3678417"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "SAP_APPL 618"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "S4CORE 102"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "103"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "104"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "105"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "106"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "107"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "108"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "109"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "EA-APPL 600"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "602"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "603"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "604"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "605"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "606"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "617"}}], "product": "sap_document_management_system", "vendor": "sap_se"}], "analysis": {"en": {"generated_at": "2026-04-17T20:55:57.375226+00:00", "value": {"mitigation_remediation": ["Obtain and install the SAP security patch referenced in SAP Note 3678417 to remove the unsanitized URL parameters.", "Configure input validation on the affected BSP application to whitelist accepted characters or patterns for URL parameters, ensuring that scripts cannot be injected.", "Implement access controls to restrict who can execute the vulnerable endpoints, lowering the chance that an unauthenticated user can trigger the flaw.", "If a patch cannot be applied immediately, disable or bypass the affected BSP modules and monitor for unauthorized access attempts."], "summary": {"action": "Apply patch", "impact": "Client\u2011side script injection (Cross\u2011Site Scripting) leading to data exposure"}, "threat_synthesis": {"affected_systems": "This flaw affects SAP Document Management System versions 600 through 617, the ERP product 618, and the SAP S/4HANA Core systems from 102 to 108, as indicated by the associated versioned CPE entries.", "description_and_impact": "The vulnerable Business Service Portal applications allow an unauthenticated user to inject arbitrary script through URL parameters that are not properly sanitized. When a victim follows a crafted link, the script runs in the victim\u2019s browser, potentially exposing confidential information that the victim\u2019s session can access. Although the impact on application availability is negligible, the confidentiality and integrity of the victim\u2019s data can be compromised.", "risk_and_exploitability": "The CVSS score of 6.1 classifies it as moderate risk, and the EPSS score of less than 1% suggests a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The attack requires no privileged credentials; a malicious actor simply constructs a malicious URL and lures a user to it. If successful, the impact is limited to the client side, but the data accessed can be sensitive."}}}}, "created": "2026-02-10T15:37:16.014454+00:00", "updated": "2026-04-17T21:00:12.722808+00:00", "vendors": ["sap_se", "sap_se$PRODUCT$sap_document_management_system"]}