Description
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page, the injected script gets executed, potentially compromising the confidentiality and integrity within the scope of the victim�s browser. Availability is not impacted.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3559307
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
4.7
EPSS
0.0028
EPSS Percentile
51.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (10)
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.22EXT
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.53
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.54
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.77
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.89
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
7.93
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
9.14
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
KERNEL 7.22
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
KRNL64NUC 7.22
SAP_SE/SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
KRNL64UC 7.22
Published
Apr 08, 2025
Tracked Since
Feb 18, 2026