CVE-2025-42973

Vulnerability

Overview

The vulnerability, tracked as CVE-2025-42973, is a Cross-Site Scripting (XSS) flaw in the SAP Data Services Management Console. The root cause lies in insufficient sanitization of user input within the search functionality used for DQ job status reports. An authenticated attacker can craft a malicious script and inject it by intercepting requests, leading to stored or reflected script execution [1].

Exploitation

Exploitation requires prior authentication to the SAP Data Services Management Console. The attacker must be able to intercept and modify requests, or submit crafted input, to the search field associated with DQ job status reports. When a legitimate user subsequently loads the affected page, the injected script executes in the context of that user's browser session. No additional privileges beyond basic authentication are needed to trigger the vulnerability [1].

Impact

Successful exploitation results in limited impact on the confidentiality and integrity of user session information. The attacker can, for example, steal session cookies or alter data displayed on the page, but cannot directly affect the availability of the system. According to SAP's advisory, the CVSS v3 base score is 5.4, confirming the limited but real risk to session data [1].

Mitigation

SAP has released security patches as part of its regular Security Patch Day on the second Tuesday of each month. The fix is provided in the latest support packages for versions under mainstream and extended maintenance. Administrators are strongly advised to apply the relevant SAP Security Note immediately [1]. No workarounds are publicly documented.