SAP NetWeaver AS JAVA XSS via Photo Upload in User Admin App
CVE-2025-0057 Published on January 14, 2025
Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser.
Vulnerability Analysis
CVE-2025-0057 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Unrestricted File Upload Vulnerability?
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
CVE-2025-0057 has been classified to as an Unrestricted File Upload vulnerability or weakness.
Affected Versions
SAP_SE SAP NetWeaver AS JAVA (User Admin Application):- Version ENGINEAPI 7.50 is affected.
- Version SERVERCORE 7.50 is affected.
- Version UMEADMIN 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.