Search criteria
30 vulnerabilities found for supplier_relationship_management by sap
FKIE_CVE-2025-42920
Vulnerability from fkie_nvd - Published: 2025-09-09 02:15 - Updated: 2025-10-24 14:50
Severity ?
Summary
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3647098 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "ACAEB896-EB40-4D92-BFDF-3A4FB083FDE0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim\u0027s browser scope, impacting confidentiality and integrity, while availability remains unaffected."
}
],
"id": "CVE-2025-42920",
"lastModified": "2025-10-24T14:50:48.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-09-09T02:15:40.300",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3647098"
},
{
"source": "cna@sap.com",
"tags": [
"Patch"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30018
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 16:43
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3578900 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application."
},
{
"lang": "es",
"value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) permite a un atacante no autenticado enviar una solicitud de servlet de aplicaci\u00f3n con un archivo XML manipulado que, al analizarse, le permite acceder a archivos y datos confidenciales. Esta vulnerabilidad tiene un alto impacto en la confidencialidad de la aplicaci\u00f3n, sin afectar su integridad ni disponibilidad."
}
],
"id": "CVE-2025-30018",
"lastModified": "2025-10-23T16:43:25.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-13T01:15:47.980",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3578900"
},
{
"source": "cna@sap.com",
"tags": [
"Not Applicable"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30011
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 16:55
Severity ?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3578900 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application."
},
{
"lang": "es",
"value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) utiliza un componente de applet de Java obsoleto dentro de los paquetes SRM afectados, lo que permite a un atacante no autenticado enviar una solicitud maliciosa a la aplicaci\u00f3n, lo que podr\u00eda revelar la informaci\u00f3n de la versi\u00f3n interna del sistema afectado. Esta vulnerabilidad tiene un impacto bajo en la confidencialidad y no afecta la integridad ni la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-30011",
"lastModified": "2025-10-23T16:55:32.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-05-13T01:15:47.697",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3578900"
},
{
"source": "cna@sap.com",
"tags": [
"Not Applicable"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-497"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30010
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 16:57
Severity ?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3578900 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application."
},
{
"lang": "es",
"value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) utiliza un componente de applet de Java obsoleto dentro de los paquetes SRM afectados. Este componente permite a un atacante no autenticado crear un enlace malicioso que, al hacer clic en \u00e9l, redirige el navegador a un sitio web malicioso. Si se explota con \u00e9xito, el atacante podr\u00eda causar un impacto m\u00ednimo en la confidencialidad e integridad, sin afectar la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-30010",
"lastModified": "2025-10-23T16:57:58.967",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-05-13T01:15:47.557",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3578900"
},
{
"source": "cna@sap.com",
"tags": [
"Not Applicable"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-30012
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 16:52
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3578900 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application."
},
{
"lang": "es",
"value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) utiliza un componente de applet de Java obsoleto dentro de la pila SRM afectada para aceptar objetos binarios de Java en un formato de codificaci\u00f3n espec\u00edfico. Si se explota con \u00e9xito, un atacante autenticado con privilegios elevados podr\u00eda enviar una solicitud de payload malicioso y recibir una solicitud DNS saliente, lo que provocar\u00eda la deserializaci\u00f3n de los datos en la aplicaci\u00f3n. Esta vulnerabilidad tiene un impacto bajo en la confidencialidad, la integridad y la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-30012",
"lastModified": "2025-10-23T16:52:39.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-13T01:15:47.833",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3578900"
},
{
"source": "cna@sap.com",
"tags": [
"Not Applicable"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "cna@sap.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-30009
Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 17:00
Severity ?
Summary
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3578900 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 7.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
"matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application"
},
{
"lang": "es",
"value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) utiliza un componente de applet de Java obsoleto dentro de los paquetes SRM afectados, lo que permite a un atacante no autenticado ejecutar un script malicioso en el navegador de la v\u00edctima. Esta vulnerabilidad tiene un impacto m\u00ednimo en la confidencialidad e integridad del navegador de la v\u00edctima, sin afectar la disponibilidad de la aplicaci\u00f3n."
}
],
"id": "CVE-2025-30009",
"lastModified": "2025-10-23T17:00:46.330",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Primary"
}
]
},
"published": "2025-05-13T01:15:47.407",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/3578900"
},
{
"source": "cna@sap.com",
"tags": [
"Not Applicable"
],
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2023-39436
Vulnerability from fkie_nvd - Published: 2023-08-08 01:15 - Updated: 2024-11-21 08:15
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/2067220 | Permissions Required | |
| cna@sap.com | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://me.sap.com/notes/2067220 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 600 | |
| sap | supplier_relationship_management | 602 | |
| sap | supplier_relationship_management | 603 | |
| sap | supplier_relationship_management | 604 | |
| sap | supplier_relationship_management | 605 | |
| sap | supplier_relationship_management | 606 | |
| sap | supplier_relationship_management | 616 | |
| sap | supplier_relationship_management | 617 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:600:*:*:*:*:*:*:*",
"matchCriteriaId": "55527525-88C2-4FAD-AD3F-023928317556",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:602:*:*:*:*:*:*:*",
"matchCriteriaId": "15FDAEAF-58BD-4839-839F-A1E8C8E0E0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:603:*:*:*:*:*:*:*",
"matchCriteriaId": "794DE5E4-B5A6-4ACC-8EBF-F76FCAD7369C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:604:*:*:*:*:*:*:*",
"matchCriteriaId": "685CA87A-7F6F-4D75-83D9-C5F26201257D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:605:*:*:*:*:*:*:*",
"matchCriteriaId": "189F4096-39A5-44E6-B954-70B45FA1F695",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:606:*:*:*:*:*:*:*",
"matchCriteriaId": "24247E81-67E8-42DE-9871-2EC7F0960A98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:616:*:*:*:*:*:*:*",
"matchCriteriaId": "2EFCE15C-77A9-4C6E-8616-3F7EBA1EB220",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:617:*:*:*:*:*:*:*",
"matchCriteriaId": "67BE6CAE-5A02-4567-ADEA-2B16C763CA06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM."
}
],
"id": "CVE-2023-39436",
"lastModified": "2024-11-21T08:15:25.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cna@sap.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-08T01:15:19.150",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/2067220"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://me.sap.com/notes/2067220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
FKIE_CVE-2019-0361
Vulnerability from fkie_nvd - Published: 2019-09-10 17:15 - Updated: 2024-11-21 04:16
Severity ?
Summary
SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@sap.com | https://launchpad.support.sap.com/#/notes/2820607 | Permissions Required, Vendor Advisory | |
| cna@sap.com | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.support.sap.com/#/notes/2820607 | Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | 3.73 | |
| sap | supplier_relationship_management | 7.31 | |
| sap | supplier_relationship_management | 7.32 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:3.73:*:*:*:*:*:*:*",
"matchCriteriaId": "75546A03-CEE3-4AD0-93F6-BC153E2564EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.31:*:*:*:*:*:*:*",
"matchCriteriaId": "A854661A-C670-43F3-B339-1D0823B9D39A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.32:*:*:*:*:*:*:*",
"matchCriteriaId": "FFFEA783-9B39-456E-923C-A050FCFF2027",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
},
{
"lang": "es",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, versiones anteriores a 3.73, 7.31, 7.32) no codifica suficientemente las entradas controladas por el usuario, resultando en vulnerabilidad de tipo Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2019-0361",
"lastModified": "2024-11-21T04:16:44.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-10T17:15:11.127",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Vendor Advisory"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4161
Vulnerability from fkie_nvd - Published: 2014-06-13 14:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B84727E9-2523-4407-A8C6-BED39B1960B1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la/umTestSSO.jsp en SAP Supplier Relationship Management (SRM) permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro url."
}
],
"id": "CVE-2014-4161",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-06-13T14:55:18.087",
"references": [
{
"source": "cve@mitre.org",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"source": "cve@mitre.org",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/58889"
},
{
"source": "cve@mitre.org",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/58889"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://service.sap.com/sap/support/notes/1946420"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4159
Vulnerability from fkie_nvd - Published: 2014-06-13 14:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | supplier_relationship_management | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:supplier_relationship_management:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B84727E9-2523-4407-A8C6-BED39B1960B1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n abierta en la/umTestSSO.jsp en SAP Supplier Relationship Management (SRM) permite a atacantes remotos redirigir a usuarios a sitios web arbitrarios y llevar a cabo ataques de phishing a trav\u00e9s de una URL en el par\u00e1metro url."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/601.html\n\n\"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"",
"id": "CVE-2014-4159",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-06-13T14:55:17.947",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"source": "cve@mitre.org",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/67997"
},
{
"source": "cve@mitre.org",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/67997"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://service.sap.com/sap/support/notes/1946420"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-42920 (GCVE-0-2025-42920)
Vulnerability from cvelistv5 – Published: 2025-09-09 02:09 – Updated: 2025-09-09 13:35
VLAI?
Summary
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management |
Affected:
SRM_SERVER 700
Affected: 701 Affected: 702 Affected: 713 Affected: 714 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:34:53.194875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:35:03.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "713"
},
{
"status": "affected",
"version": "714"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim\u0027s browser scope, impacting confidentiality and integrity, while availability remains unaffected.\u003c/p\u003e"
}
],
"value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim\u0027s browser scope, impacting confidentiality and integrity, while availability remains unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:09:30.802Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3647098"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42920",
"datePublished": "2025-09-09T02:09:30.802Z",
"dateReserved": "2025-04-16T13:25:30.253Z",
"dateUpdated": "2025-09-09T13:35:03.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30018 (GCVE-0-2025-30018)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:16 – Updated: 2025-05-13 14:12
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
Severity ?
8.6 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:09:46.493641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:12:04.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:24:55.347Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30018",
"datePublished": "2025-05-13T00:16:20.584Z",
"dateReserved": "2025-03-13T18:03:35.489Z",
"dateUpdated": "2025-05-13T14:12:04.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30012 (GCVE-0-2025-30012)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:14 – Updated: 2025-07-24 15:59
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.
Severity ?
10 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T15:59:09.810015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T15:59:18.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.\u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:07:25.438Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30012",
"datePublished": "2025-05-13T00:14:21.258Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-07-24T15:59:18.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30011 (GCVE-0-2025-30011)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:13 – Updated: 2025-05-13 18:39
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T18:32:02.623831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T18:39:20.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:13:16.048Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30011",
"datePublished": "2025-05-13T00:13:16.048Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T18:39:20.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30010 (GCVE-0-2025-30010)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:13 – Updated: 2025-05-13 14:27
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:26:02.427165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:27:01.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:13:04.776Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30010",
"datePublished": "2025-05-13T00:13:04.776Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T14:27:01.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30009 (GCVE-0-2025-30009)
Vulnerability from cvelistv5 – Published: 2025-05-13 00:12 – Updated: 2025-05-13 14:06
VLAI?
Summary
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:06:21.690070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:06:31.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ehe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application\u003c/p\u003e"
}
],
"value": "he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:12:52.634Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30009",
"datePublished": "2025-05-13T00:12:52.634Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T14:06:31.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39436 (GCVE-0-2023-39436)
Vulnerability from cvelistv5 – Published: 2023-08-08 00:48 – Updated: 2024-10-15 20:13
VLAI?
Summary
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
Severity ?
5.8 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management |
Affected:
600
Affected: 602 Affected: 603 Affected: 604 Affected: 605 Affected: 606 Affected: 616 Affected: 617 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/2067220"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T20:13:08.498052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T20:13:19.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "602"
},
{
"status": "affected",
"version": "603"
},
{
"status": "affected",
"version": "604"
},
{
"status": "affected",
"version": "605"
},
{
"status": "affected",
"version": "606"
},
{
"status": "affected",
"version": "616"
},
{
"status": "affected",
"version": "617"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM.\u003c/p\u003e"
}
],
"value": "SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:07:01.413Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/2067220"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure in SAP Supplier Relationship Management",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-39436",
"datePublished": "2023-08-08T00:48:18.892Z",
"dateReserved": "2023-08-01T21:49:02.687Z",
"dateUpdated": "2024-10-15T20:13:19.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0361 (GCVE-0-2019-0361)
Vulnerability from cvelistv5 – Published: 2019-09-10 16:09 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT) |
Affected:
< 3.73
Affected: < 7.31 Affected: < 7.32 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 3.73"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-10T16:09:25",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "3.73"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.32"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506",
"refsource": "CONFIRM",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2820607",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0361",
"datePublished": "2019-09-10T16:09:25",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4159 (GCVE-0-2014-4159)
Vulnerability from cvelistv5 – Published: 2014-06-13 14:00 – Updated: 2024-08-06 11:04
VLAI?
Summary
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:04:28.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67997"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-20T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67997"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://service.sap.com/sap/support/notes/1946420",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"name": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html",
"refsource": "MISC",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/67997"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4159",
"datePublished": "2014-06-13T14:00:00",
"dateReserved": "2014-06-13T00:00:00",
"dateUpdated": "2024-08-06T11:04:28.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4161 (GCVE-0-2014-4161)
Vulnerability from cvelistv5 – Published: 2014-06-13 14:00 – Updated: 2024-09-17 02:27
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:04:28.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58889",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58889"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-13T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "58889",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58889"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4161",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "58889",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/58889"
},
{
"name": "https://service.sap.com/sap/support/notes/1946420",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"name": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html",
"refsource": "MISC",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4161",
"datePublished": "2014-06-13T14:00:00Z",
"dateReserved": "2014-06-13T00:00:00Z",
"dateUpdated": "2024-09-17T02:27:31.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-42920 (GCVE-0-2025-42920)
Vulnerability from nvd – Published: 2025-09-09 02:09 – Updated: 2025-09-09 13:35
VLAI?
Summary
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management |
Affected:
SRM_SERVER 700
Affected: 701 Affected: 702 Affected: 713 Affected: 714 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-09T13:34:53.194875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T13:35:03.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "713"
},
{
"status": "affected",
"version": "714"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim\u0027s browser scope, impacting confidentiality and integrity, while availability remains unaffected.\u003c/p\u003e"
}
],
"value": "Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim\u0027s browser scope, impacting confidentiality and integrity, while availability remains unaffected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T02:09:30.802Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3647098"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42920",
"datePublished": "2025-09-09T02:09:30.802Z",
"dateReserved": "2025-04-16T13:25:30.253Z",
"dateUpdated": "2025-09-09T13:35:03.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30018 (GCVE-0-2025-30018)
Vulnerability from nvd – Published: 2025-05-13 00:16 – Updated: 2025-05-13 14:12
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.
Severity ?
8.6 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:09:46.493641Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:12:04.345Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application\u0027s confidentiality, with no effect on integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:24:55.347Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30018",
"datePublished": "2025-05-13T00:16:20.584Z",
"dateReserved": "2025-03-13T18:03:35.489Z",
"dateUpdated": "2025-05-13T14:12:04.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30012 (GCVE-0-2025-30012)
Vulnerability from nvd – Published: 2025-05-13 00:14 – Updated: 2025-07-24 15:59
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.
Severity ?
10 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T15:59:09.810015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T15:59:18.619Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application.\u003c/span\u003e\n\n\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to execution of arbitrary OS command on target as SAP Administrator. This vulnerability has High impact on confidentiality, integrity, and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-07T15:07:25.438Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30012",
"datePublished": "2025-05-13T00:14:21.258Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-07-24T15:59:18.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30011 (GCVE-0-2025-30011)
Vulnerability from nvd – Published: 2025-05-13 00:13 – Updated: 2025-05-13 18:39
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30011",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T18:32:02.623831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T18:39:20.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:13:16.048Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30011",
"datePublished": "2025-05-13T00:13:16.048Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T18:39:20.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30010 (GCVE-0-2025-30010)
Vulnerability from nvd – Published: 2025-05-13 00:13 – Updated: 2025-05-13 14:27
VLAI?
Summary
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.
Severity ?
6.1 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:26:02.427165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:27:01.826Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.\u003c/p\u003e"
}
],
"value": "The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:13:04.776Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30010",
"datePublished": "2025-05-13T00:13:04.776Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T14:27:01.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30009 (GCVE-0-2025-30009)
Vulnerability from nvd – Published: 2025-05-13 00:12 – Updated: 2025-05-13 14:06
VLAI?
Summary
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management (Live Auction Cockpit) |
Affected:
SRM_SERVER 7.14
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:06:21.690070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:06:31.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management (Live Auction Cockpit)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SRM_SERVER 7.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ehe Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application\u003c/p\u003e"
}
],
"value": "he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T00:12:52.634Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3578900"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-30009",
"datePublished": "2025-05-13T00:12:52.634Z",
"dateReserved": "2025-03-13T18:03:35.488Z",
"dateUpdated": "2025-05-13T14:06:31.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-39436 (GCVE-0-2023-39436)
Vulnerability from nvd – Published: 2023-08-08 00:48 – Updated: 2024-10-15 20:13
VLAI?
Summary
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.
Severity ?
5.8 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Supplier Relationship Management |
Affected:
600
Affected: 602 Affected: 603 Affected: 604 Affected: 605 Affected: 606 Affected: 616 Affected: 617 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/2067220"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-39436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T20:13:08.498052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T20:13:19.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Supplier Relationship Management",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "602"
},
{
"status": "affected",
"version": "603"
},
{
"status": "affected",
"version": "604"
},
{
"status": "affected",
"version": "605"
},
{
"status": "affected",
"version": "606"
},
{
"status": "affected",
"version": "616"
},
{
"status": "affected",
"version": "617"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM.\u003c/p\u003e"
}
],
"value": "SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to\u00a0SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against\u00a0SRM."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:07:01.413Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/2067220"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure in SAP Supplier Relationship Management",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-39436",
"datePublished": "2023-08-08T00:48:18.892Z",
"dateReserved": "2023-08-01T21:49:02.687Z",
"dateUpdated": "2024-10-15T20:13:19.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0361 (GCVE-0-2019-0361)
Vulnerability from nvd – Published: 2019-09-10 16:09 – Updated: 2024-08-04 17:44
VLAI?
Summary
SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP SE | SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT) |
Affected:
< 3.73
Affected: < 7.31 Affected: < 7.32 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:16.592Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c 3.73"
},
{
"status": "affected",
"version": "\u003c 7.31"
},
{
"status": "affected",
"version": "\u003c 7.32"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-10T16:09:25",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2019-0361",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP Supplier Relationship Management (Master Data Management Catalog) (SRM_MDM_CAT)",
"version": {
"version_data": [
{
"version_name": "\u003c",
"version_value": "3.73"
},
{
"version_name": "\u003c",
"version_value": "7.31"
},
{
"version_name": "\u003c",
"version_value": "7.32"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506",
"refsource": "CONFIRM",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=525962506"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2820607",
"refsource": "MISC",
"url": "https://launchpad.support.sap.com/#/notes/2820607"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2019-0361",
"datePublished": "2019-09-10T16:09:25",
"dateReserved": "2018-11-26T00:00:00",
"dateUpdated": "2024-08-04T17:44:16.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4159 (GCVE-0-2014-4159)
Vulnerability from nvd – Published: 2014-06-13 14:00 – Updated: 2024-08-06 11:04
VLAI?
Summary
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:04:28.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/67997"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-20T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/67997"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4159",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://service.sap.com/sap/support/notes/1946420",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"name": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html",
"refsource": "MISC",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
},
{
"name": "67997",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/67997"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4159",
"datePublished": "2014-06-13T14:00:00",
"dateReserved": "2014-06-13T00:00:00",
"dateUpdated": "2024-08-06T11:04:28.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4161 (GCVE-0-2014-4161)
Vulnerability from nvd – Published: 2014-06-13 14:00 – Updated: 2024-09-17 02:27
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:04:28.641Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "58889",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/58889"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-13T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "58889",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/58889"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://scn.sap.com/docs/DOC-8218"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4161",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "58889",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/58889"
},
{
"name": "https://service.sap.com/sap/support/notes/1946420",
"refsource": "CONFIRM",
"url": "https://service.sap.com/sap/support/notes/1946420"
},
{
"name": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html",
"refsource": "MISC",
"url": "http://blog.emaze.net/2014/05/sap-multiple-vulnerabilities.html"
},
{
"name": "http://scn.sap.com/docs/DOC-8218",
"refsource": "CONFIRM",
"url": "http://scn.sap.com/docs/DOC-8218"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4161",
"datePublished": "2014-06-13T14:00:00Z",
"dateReserved": "2014-06-13T00:00:00Z",
"dateUpdated": "2024-09-17T02:27:31.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}