Vulners
Lucene search
SAP NetWeaver AS ABAP XSS (3559307)
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-26653 | 8 Apr 202507:46 | – | circl |
 | SAP NetWeaver Server ABAP 跨站脚本漏洞 | 8 Apr 202500:00 | – | cnnvd |
 | SAP NetWeaver Application Server ABAP Cross-Site Scripting Vulnerability | 18 Apr 202500:00 | – | cnvd |
 | CVE-2025-26653 | 8 Apr 202507:10 | – | cve |
 | CVE-2025-26653 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) | 8 Apr 202507:10 | – | cvelist |
 | EUVD-2025-10107 | 3 Oct 202520:07 | – | euvd |
 | Vulnerabilities fixed in SAP products | 30 Apr 202513:12 | – | ncsc |
 | CVE-2025-26653 | 8 Apr 202508:15 | – | nvd |
 | PT-2025-15364 · Sap · Sap Netweaver Application Server Abap | 8 Apr 202500:00 | – | ptsecurity |
 | CVE-2025-26653 | 10 Apr 202507:46 | – | redhatcve |
10
| Source | Link |
|---|---|
| nessus | www.nessus.org/u |
| me | www.me.sap.com/notes/3559307 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(234227);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/04/11");
script_cve_id("CVE-2025-26653");
script_name(english:"SAP NetWeaver AS ABAP XSS (3559307)");
script_set_attribute(attribute:"synopsis", value:
"The remote SAP NetWeaver ABAP server may be affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote SAP NetWeaver ABAP server may be affected by an information disclosure vulnerability.
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading
to Stored Cross-Site Scripting (XSS) vulnerability. This enables an attacker, without requiring any
privileges, to inject malicious JavaScript into a website. When a user visits the compromised page,
the injected script gets executed, potentially compromising the confidentiality and integrity within
the scope of the victimâs browser. Availability is not impacted.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?92dca101");
script_set_attribute(attribute:"see_also", value:"https://me.sap.com/notes/3559307");
script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-26653");
script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/08");
script_set_attribute(attribute:"patch_publication_date", value:"2025/04/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/11");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:sap:netweaver_application_server");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("sap_netweaver_as_web_detect.nbin");
script_require_keys("installed_sw/SAP Netweaver Application Server (AS)", "Settings/ParanoidReport");
script_require_ports("Services/www", 80, 443, 8000, 50000);
exit(0);
}
include('vcf_extras_sap.inc');
var app_info = vcf::sap_netweaver_as::get_app_info();
if (report_paranoia < 2)
audit(AUDIT_PARANOID);
var fix = 'See vendor advisory';
var constraints = [
{'equal':'7.22', 'fixed_display': fix},
{'equal':'7.53', 'fixed_display': fix},
{'equal':'7.54', 'fixed_display': fix},
{'equal':'7.77', 'fixed_display': fix},
{'equal':'7.89', 'fixed_display': fix},
{'equal':'7.93', 'fixed_display': fix},
{'equal':'9.14', 'fixed_display': fix},
];
vcf::sap_netweaver_as::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING,
abap:TRUE,
flags: {'xss':true}
);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2025 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.14.7
EPSS0.00217
SSVC