Skip to main content

CVE-2025-42990: CWE-79: Improper Neutralization of Input During Web Page Generation in SAP_SE SAPUI5 applications

Low
VulnerabilityCVE-2025-42990cvecve-2025-42990cwe-79
Published: Tue Jun 10 2025 (06/10/2025, 00:12:33 UTC)
Source: CVE Database V5
Vendor/Project: SAP_SE
Product: SAPUI5 applications

Description

Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.

AI-Powered Analysis

AILast updated: 07/11/2025, 00:32:07 UTC

Technical Analysis

CVE-2025-42990 is a security vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-Site Scripting (XSS). This vulnerability affects SAPUI5 applications developed by SAP SE, specifically impacting versions SAP_UI 750, 754, 755, 756, 757, 758, and UI_700 200. The flaw allows an attacker with basic privileges to inject malicious HTML code into a webpage generated by the vulnerable SAPUI5 application. The injected code can be used to redirect users to attacker-controlled URLs, thereby compromising the integrity of the application. Notably, this vulnerability does not affect the confidentiality or availability of the system, focusing primarily on integrity. The CVSS 3.1 base score is 3.0, indicating a low severity level, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N. This means the attack requires network access, high attack complexity, low privileges, and user interaction, with a scope change and impact limited to integrity. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from insufficient input sanitization in the SAPUI5 framework, which is widely used for building enterprise web applications in SAP environments.

Potential Impact

For European organizations, the impact of CVE-2025-42990 is primarily on the integrity of SAPUI5-based web applications. Since SAPUI5 is extensively used in enterprise resource planning (ERP), customer relationship management (CRM), and other critical business applications, attackers exploiting this vulnerability could redirect users to malicious sites, potentially facilitating phishing attacks or further social engineering exploits. Although confidentiality and availability are not directly compromised, the redirection could lead to credential theft or malware delivery, indirectly affecting organizational security posture. The requirement for user interaction and low privileges reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. Organizations relying heavily on SAPUI5 for customer-facing portals or internal dashboards may face reputational damage and operational disruptions if users are redirected to malicious sites. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect components beyond the initially targeted application, potentially increasing the attack surface within interconnected SAP environments.

Mitigation Recommendations

To mitigate CVE-2025-42990, European organizations should implement the following specific measures: 1) Conduct a thorough audit of all SAPUI5 applications to identify instances where user input is incorporated into web pages without proper sanitization or encoding. 2) Apply strict input validation and output encoding practices, particularly for HTML content, to neutralize potentially malicious input. 3) Monitor SAP SE advisories closely for official patches or updates addressing this vulnerability and prioritize their deployment once available. 4) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of injected code. 5) Educate users about the risks of phishing and suspicious redirects, especially in environments where SAPUI5 applications are accessed. 6) Employ web application firewalls (WAFs) with rules tailored to detect and block XSS attempts targeting SAPUI5 applications. 7) Restrict user privileges to the minimum necessary to reduce the attacker's ability to inject malicious content. 8) Regularly review and update security configurations in SAP environments to ensure compliance with best practices for web application security.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-04-16T13:25:48.060Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f551b0bd07c3938a2c2

Added to database: 6/10/2025, 6:54:13 PM

Last enriched: 7/11/2025, 12:32:07 AM

Last updated: 8/13/2025, 9:49:28 AM

Views: 21

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats