CVE-2025-0054

MEDIUM

SAP NetWeaver Application Server Java - XSS

Title source: llm

Description

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

Exploits (1)

nomisec SCANNER

by z3usx01 · poc

https://github.com/z3usx01/CVE-2025-0054

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://me.sap.com/notes/3526203

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 5.4

EPSS 0.0010

EPSS Percentile 27.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

SAP_SE/SAP NetWeaver Application Server Java EP-BASIS 7.50

SAP_SE/SAP NetWeaver Application Server Java FRAMEWORK-EXT 7.50

Published Feb 11, 2025

Tracked Since Feb 18, 2026