CVE-2025-42990 PUBLISHED

HTML Injection in Unprotected SAPUI5 applications

Assigner: sap
Reserved: 16.04.2025 Published: 10.06.2025 Updated: 10.06.2025

Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
CVSS Score: 3

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAPUI5 applications
Versions	Default: unaffected Version SAP_UI 750 is affected Version 754 is affected Version 755 is affected Version 756 is affected Version 757 is affected Version 758 is affected Version UI_700 200 is affected

CVE-2025-42990 PUBLISHED

HTML Injection in Unprotected SAPUI5 applications

Metrics

Product Status

References

Problem Types