CVE-2025-42938
MEDIUMSAP NetWeaver ABAP Platform - Unauthenticated Stored Cross-Site Scripting via Malicious Link
Title source: llmDescription
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When executed, this content allows the attacker to access or modify information within the victim's browser scope, impacting the confidentiality and integrity�while availability remains unaffected.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3629325
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
6.1
EPSS
0.0012
EPSS Percentile
30.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (8)
SAP_SE/SAP NetWeaver ABAP Platform
200
SAP_SE/SAP NetWeaver ABAP Platform
204
SAP_SE/SAP NetWeaver ABAP Platform
205
SAP_SE/SAP NetWeaver ABAP Platform
206
SAP_SE/SAP NetWeaver ABAP Platform
714
SAP_SE/SAP NetWeaver ABAP Platform
BBPCRM 713
SAP_SE/SAP NetWeaver ABAP Platform
S4CEXT 109
SAP_SE/SAP NetWeaver ABAP Platform
S4CRM 100
Published
Sep 09, 2025
Tracked Since
Feb 18, 2026