CVE-2025-0054

Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

CVSS 5.4 MEDIUMEPSS 0.3%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Feb 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products

SAP_SE · SAP NetWeaver Application Server Java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3526203 https://url.sap/sapsecuritypatchday