4.2
CVE-2026-24315
- EPSS 0.17%
- Veröffentlicht 09.06.2026 00:19:52
- Zuletzt bearbeitet 09.06.2026 02:08:28
- Quelle cna@sap.com
- CVE-Watchlists
- Unerledigt
Path Traversal Vulnerability in SAP Fiori (launchpad)
SAP Fiori Launchpad allows attackers to craft malicious URLs that triggers arbitrary service calls on the Fiori domain, this when opened by the user could compromise accounts by stealing user credentials. Successful exploitation requires adversaries to possess advanced knowledge of the system causing low impact on Confidentiality and Integrity. Availability of the system is no impacted.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerSAP_SE
≫
Produkt
SAP Fiori (launchpad)
Default Statusunaffected
Version
SAP_UI 754
Status
affected
Version
755
Status
affected
Version
756
Status
affected
Version
757
Status
affected
Version
758
Status
affected
Version
816
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.07 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| cna@sap.com | 4.2 | 1.6 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
|
CWE-35 Path Traversal: '.../...//'
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
https://url.sap/sapsecuritypatchday
https://me.sap.com/notes/3682699