CVE-2025-42901

Summary

SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 700affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 701affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 702affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 731affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 740affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 750affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 751affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 752affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 753affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 754affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 755affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 756affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 757affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 758affected
SAP_SESAP Application Server for ABAP (BAPI Browser)SAP_BASIS 816affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References