CVE-2025-42956 | THREATINT

Description

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application.

PUBLISHED Reserved 2025-04-16 | Published 2025-07-08 | Updated 2025-07-08 | Assigner sap

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

SAP_BASIS 700

affected

SAP_BASIS 701

affected

SAP_BASIS 702

affected

SAP_BASIS 731

affected

SAP_BASIS 740

affected

SAP_BASIS 750

affected

SAP_BASIS 751

affected

SAP_BASIS 752

affected

SAP_BASIS 753

affected

SAP_BASIS 754

affected

SAP_BASIS 755

affected

SAP_BASIS 756

affected

SAP_BASIS 757

affected

SAP_BASIS 758

affected

SAP_BASIS 816

affected

References

me.sap.com/notes/3617131

url.sap/sapsecuritypatchday

cve.org (CVE-2025-42956)

nvd.nist.gov (CVE-2025-42956)

Download JSON