CVE-2026-24318

EUVD-2026-22140

14.04.2026, 00:16

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victims session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victims authenticated context. This could allow the attacker to access or modify information within the victims session scope, impacting confidentiality and integrity, while availability remains unaffected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.2 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-539 - Use of Persistent Cookies Containing Sensitive Information
The web application uses persistent cookies, but the cookies contain sensitive information.

Vulnerability Media Exposure

[GERMAN] SAP Patch Day April 2026: SQL-Injection-Lücke mit CVSS 9,9 erfordert sofortiges Handeln
Zum April-Patch-Day hat SAP 22 neue und aktualisierte Sicherheitshinweise veröffentlicht. Darunter befindet sich ein HotNews-Hinweis sowie zwei High-Priority-Hinweise. Fünf der insgesamt 18 neuen Hinweise entstanden in enger Zusammenarbeit mit den Onapsis Research Labs (ORL), die damit erneut einen substanziellen Beitrag zur Absicherung der SAP-Produktlandschaft geleistet haben. Der Beitrag SAP Patch Day April 2026: SQL-Injection-Lücke mit CVSS 9,9 erfordert sofortiges Handeln erschien zuerst auf All About Security Das Online-Magazin zu Cybersecurity (Cybersicherheit). Ransomware, Phishing, IT-Sicherheit, Netzwerksicherheit, KI, Threats, DDoS, Identity & Access, Plattformsicherheit .
Published: 2026-04-14T09:53:44+00:00

References

https://me.sap.com/notes/3702191

https://url.sap/sapsecuritypatchday