CVE-2025-42990

Medienbericht

EPSS 0.03%
Veröffentlicht 10.06.2025 00:12:33
Zuletzt bearbeitet 12.06.2025 16:06:39
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSAP_SE

≫

Produkt SAPUI5 applications

Default Statusunaffected

Version SAP_UI 750

Status affected

Version 754

Status affected

Version 755

Status affected

Version 756

Status affected

Version 757

Status affected

Version 758

Status affected

Version UI_700 200

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.058

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@sap.com	3	1.3	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-in-Netweaver-10438217.html

Medienbericht

heise Security

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3601169

https://nvd.nist.gov/vuln/detail/CVE-2025-42990

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-42990

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-42990

EUVD