Insufficient URL Validation in SAP HANA XS Advanced Model
CVE-2025-24868

7.1HIGH

Key Information:

Vendor: SAP
Status: SAP Hana Extended Application Services, Advanced Model (user Account And Authentication Services)
Vendor: CVE Published:; 11 February 2025

Summary

The User Account and Authentication service in SAP HANA XS advanced model is susceptible to a manipulation where an unauthenticated attacker can generate a crafted link. Clicking this link prompts redirection to a malicious site due to inadequate URL validation. This vulnerability poses risks affecting the confidentiality, integrity, and availability of the system, enabling potential security breaches. Users are advised to be vigilant regarding such links and look for SAP patches to mitigate this risk.

Affected Version(s)

SAP HANA extended application services, advanced model (User Account and Authentication Services) SAP_EXTENDED_APP_SERVICES 1

References

https://me.sap.com/notes/3563929

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025