DOM-based XSS Vulnerability in SAP NetWeaver Application Server ABAP
CVE-2025-26659

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Abap (applications Based On SAP Gui For Html)
Vendor: CVE Published:; 11 March 2025

Summary

The SAP NetWeaver Application Server ABAP contains a security issue where insufficient encoding of user-controlled inputs can be exploited, allowing for DOM-based Cross-Site Scripting (XSS) attacks. This vulnerability permits an unauthorized attacker to craft a harmful web message that takes advantage of the WEBGUI functionality. If exploited, the malicious JavaScript code executes within the victim's browser, which may lead to data compromise or manipulation of web content. Though the impact on confidentiality and integrity is limited, users remain at risk if this vulnerability persists.

Affected Version(s)

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KRNL64UC 7.53

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KERNEL 7.53

SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) KERNEL 7.54

References

https://me.sap.com/notes/3552824

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Feb 12, 2025