CVE-2025-0054Cross-site Scripting in SE SAP Netweaver Application Server Java

CWE-79Cross-site ScriptingCWE-787Out-of-bounds Write4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 71.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver Application Server Java
Timeline
PublishedFeb 11

Description

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver_application_server_javaEP-BASIS 7.50, FRAMEWORK-EXT 7.50+1

🔴Vulnerability Details

2
CVEList
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java2025-02-11
GHSA
GHSA-jjq7-xc67-vrv3: SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability2025-02-11

📋Vendor Advisories

1
Microsoft
Out-of-bounds Write in vim/vim2023-01-10
CVE-2025-0054 — Cross-site Scripting | cvebase