CVE-2025-24868
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2Tags
Description
The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. On successful exploitation attacker can cause limited impact on confidentiality, integrity, and availability of the system.
Analysis
The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link,. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical Context
This vulnerability is classified as Open Redirect (CWE-601), which allows attackers to redirect users to malicious websites via URL manipulation. The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. On successful exploitation attacker can cause limited impact on confidentiality, integrity, and availability of the system.
Affected Products
See vendor advisory for affected versions.
Remediation
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate redirect destinations against an allowlist, avoid using user input in redirect URLs.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today