SAP NetWeaver AS Java XSS Allows Stored JS Payload via Basic User Input
CVE-2025-0054 Published on February 11, 2025
Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.
Vulnerability Analysis
CVE-2025-0054 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2025-0054 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2025-0054
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
Affected Versions
SAP_SE SAP NetWeaver Application Server Java:- Version EP-BASIS 7.50 is affected.
- Version FRAMEWORK-EXT 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.