CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24868: Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)

7.1 CVSS

Description

The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. On successful exploitation attacker can cause limited impact on confidentiality, integrity, and availability of the system.

Classification

CVE ID: CVE-2025-24868

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Affected Products

Vendor: SAP_SE

Product: SAP HANA extended application services, advanced model (User Account and Authentication Services)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 19.88% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://me.sap.com/notes/3563929
https://url.sap/sapsecuritypatchday

Timeline

2025-02-12 00:31:39 UTC
CVE

Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)