Sap Crm Webclient Ui
Monthly
Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis, and impact is bounded to low integrity with no confidentiality or availability consequence.
Script injection in SAP CRM WebClient UI is enabled by absent Content Security Policy (CSP) directives for certain restrictive headers, allowing an authenticated low-privileged attacker to inject malicious JavaScript that executes in a victim user's browser session. The CVSS vector (PR:L/UI:R/S:C) confirms this requires both an authenticated attacker and victim interaction, with a cross-scope impact consistent with browser-context script execution. No public exploit code or CISA KEV active exploitation listing has been identified at time of analysis, and impact is bounded to low integrity with no confidentiality or availability consequence.