← back
CVE-2025-0057

Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)

CVSS 4.8 MEDIUMEPSS 0.2%CWE-434
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
14 Jan 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Affected products
SAP_SE · SAP NetWeaver AS JAVA (User Admin Application)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3514421https://url.sap/sapsecuritypatchday