CVE-2025-0054

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3526203
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

18 Feb 2025, 18:15

Type	Values Removed	Values Added
Summary		(es) El servidor de aplicaciones Java de SAP NetWeaver no gestiona adecuadamente la entrada del usuario, lo que da lugar a una vulnerabilidad Cross-Site Scripting Almacenado. La aplicación permite a los atacantes con privilegios de usuario básicos almacenar un payload Javascript en el servidor, que podría ejecutarse posteriormente en el navegador web de la víctima. Con esto, el atacante podría leer o modificar información asociada a la página web vulnerable.

11 Feb 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-11 01:15

Updated : 2025-02-18 18:15

NVD link : CVE-2025-0054

Mitre link : CVE-2025-0054

CVE.ORG link : CVE-2025-0054

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10