CVE-2025-42962

Root

Cause CVE-2025-42962 is a cross-site scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web). The application fails to properly sanitize user-controlled input when constructing links. An attacker can craft a malicious link that, when clicked by an authenticated user, causes arbitrary JavaScript injected by the attacker to execute in the context of the victim's session [1].

Exploitation

Prerequisites The attacker requires an authenticated user session to deliver the malicious link, but does not need special privileges beyond the ability to create or share crafted URLs. The attack vector is network-based and triggered by user interaction (clicking the link). No authentication is needed for the attacker; the victim must be authenticated to the affected SAP system [1].

Impact

Successful exploitation leads to compromise of confidentiality and integrity within the victim's browser session. The attacker can potentially read sensitive data displayed in the application, perform actions on behalf of the victim, or modify content shown in the browser. Availability is not affected [1].

Mitigation

SAP has released security patches as part of its monthly Security Patch Day. These fixes are available via SAP Security Notes for the affected versions under mainstream and extended maintenance. Administrators should apply the relevant patches promptly; no workarounds are documented [1].