Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Authenticated low-privilege account required (PR:L), victim interaction mandatory (UI:R), browser scope change applies (S:C); description confirms no confidentiality or availability impact.
Primary rating from Vendor (sap).
CVSS VectorVendor: sap
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
SAP CRM WebClient UI allows an attacker to inject and execute malicious scripts in the context of the application due to the absence of a Content Security Policy (CSP) configuration for certain restrictive directives. This vulnerability has a low impact on the integrity of the application. Confidentiality and availability are not impacted.
AnalysisAI
Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid low-privileged SAP CRM account, as confirmed by CVSS PR:L - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.1 (Medium) accurately reflects the constrained impact profile: while the attack is network-reachable and low-complexity (AV:N/AC:L), it requires an authenticated low-privileged account (PR:L) and mandatory victim interaction (UI:R), introducing two meaningful friction points. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged SAP CRM user injects a malicious script payload into a CRM record, activity, or shareable link within the WebClient UI. When a victim user with a valid session navigates to or interacts with that content, the browser executes the script without CSP restriction, potentially enabling session manipulation, UI redirection, or limited data modification within the victim's browser context. … |
| Remediation | Apply the corrective measures detailed in SAP Security Note 3155685 (https://me.sap.com/notes/3155685), which addresses the absent CSP configuration in SAP CRM WebClient UI. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43592
GHSA-xfxh-3p9c-mww9