Stored Cross-Site Scripting in SAP NetWeaver Java Application Server
CVE-2025-27431

5.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Java
Vendor: CVE Published:; 11 March 2025

What is CVE-2025-27431?

The user management features in the SAP NetWeaver Application Server Java are susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. This security flaw allows an attacker to inject harmful scripts that are stored within the application. When a victim accesses the affected functionalities, these scripts can execute in their browser context, potentially leading to information leaks or unauthorized alterations of data. However, this vulnerability does not affect the availability of the application.

Affected Version(s)

SAP NetWeaver Application Server Java AJAX-RUNTIME 7.50

References

https://me.sap.com/notes/3567246

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Feb 25, 2025