CVE-2025-42901

Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)

CVSS 5.4 MEDIUMEPSS 0.2%CWE-94

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

14 out 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Produtos afetados

SAP_SE · SAP Application Server for ABAP (BAPI Browser)

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://me.sap.com/notes/3652788 https://url.sap/sapsecuritypatchday