CVE-2025-42990

Vulnerability

Description

CVE-2025-42990 describes an insufficient input sanitization issue in SAPUI5 applications that permits HTML injection. An attacker with basic privileges can embed arbitrary HTML code into a vulnerable webpage, which may then be rendered in a user's browser. This vulnerability stems from improper handling of user-supplied content within the application's output generation [1].

Exploitation

Prerequisites

To exploit this flaw, the attacker must already have basic privileges on the target SAP system, meaning they can authenticate and submit crafted input. No additional network position or user interaction beyond normal page rendering is required for the injected HTML to be delivered to other users. The attack surface is limited to UI components that reflect or reuse user input without adequate encoding [1].

Impact

Assessment

Successful exploitation enables the attacker to inject malicious HTML that can redirect victims to an attacker-controlled URL, undermining the integrity of the application's display. According to the official description, confidentiality and availability are not affected, so the primary risk is phishing-style attacks that manipulate what users see, potentially leading to credential theft or other social engineering outcomes [1].

Mitigation

Status

SAP addresses this vulnerability through its monthly Security Patch Day process. The vendor recommends implementing the corresponding SAP Security Note, which is available in the SAP for Me portal. Since the severity is Low, the fix is included in the newest support package for mainstream and extended maintenance releases. Users should apply the provided patches as soon as feasible to prevent misuse [1].