CVE-2025-24868
HIGHSAP HANA XS Advanced (User Auth) - Unauthenticated Open Redirect via URL Validation
Title source: llmDescription
The User Account and Authentication service (UAA) for SAP HANA extended application services, advanced model (SAP HANA XS advanced model) allows an unauthenticated attacker to craft a malicious link, that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation. On successful exploitation attacker can cause limited impact on confidentiality, integrity, and availability of the system.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3563929
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
7.1
EPSS
0.0006
EPSS Percentile
20.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
Status
published
Products (1)
SAP_SE/SAP HANA extended application services, advanced model (User Account and Authentication Services)
SAP_EXTENDED_APP_SERVICES 1
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026