6.1

CVE-2025-42969

SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL unknowingly executes the malicious payload in their browser. On successful exploitation, the attacker can access or modify sensitive information within the scope of victim's web browser, with no impact on availability of the application.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
VendorSAP_SE
Product SAP NetWeaver Application Server ABAP and ABAP Platform
Default Statusunaffected
Version SAP_BASIS 740
Status affected
Version SAP_BASIS 750
Status affected
Version SAP_BASIS 751
Status affected
Version SAP_BASIS 752
Status affected
Version SAP_BASIS 753
Status affected
Version SAP_BASIS 754
Status affected
Version SAP_BASIS 755
Status affected
Version SAP_BASIS 756
Status affected
Version SAP_BASIS 757
Status affected
Version SAP_BASIS 758
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.13% 0.339
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
cna@sap.com 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.