CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-42990: HTML Injection in Unprotected SAPUI5 applications

3.0 CVSS

Description

Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.

Classification

CVE ID: CVE-2025-42990

CVSS Base Severity: LOW

CVSS Base Score: 3.0

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation

Affected Products

Vendor: SAP_SE

Product: SAPUI5 applications

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.01% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-42990
https://me.sap.com/notes/3601169
https://url.sap/sapsecuritypatchday

Timeline

2025-06-10 03:40:14 UTC
CVE

HTML Injection in Unprotected SAPUI5 applications