Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-42944 (GCVE-0-2025-42944)
Vulnerability from cvelistv5 – Published: 2025-09-09 02:11 – Updated: 2026-02-26 17:49
VLAI
EPSS
Title
Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
Summary
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.
Severity
10 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP Netweaver (RMI-P4) |
Affected:
SERVERCORE 7.50
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-42944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T03:55:58.200808Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:05.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Netweaver (RMI-P4)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "SERVERCORE 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application\u0027s confidentiality, integrity, and availability.\u003c/p\u003e"
}
],
"value": "Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application\u0027s confidentiality, integrity, and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T18:23:36.628Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3670067"
},
{
"url": "https://me.sap.com/notes/3660659"
},
{
"url": "https://me.sap.com/notes/3634501"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-42944",
"datePublished": "2025-09-09T02:11:39.754Z",
"dateReserved": "2025-04-16T13:25:37.187Z",
"dateUpdated": "2026-02-26T17:49:05.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-42944",
"date": "2026-06-07",
"epss": "0.00416",
"percentile": "0.6205"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-42944\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2025-09-09T02:15:42.173\",\"lastModified\":\"2025-11-12T19:15:36.020\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application\u0027s confidentiality, integrity, and availability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3634501\",\"source\":\"cna@sap.com\"},{\"url\":\"https://me.sap.com/notes/3660659\",\"source\":\"cna@sap.com\"},{\"url\":\"https://me.sap.com/notes/3670067\",\"source\":\"cna@sap.com\"},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-42944\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-10T03:55:58.200808Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-09T13:25:08.450Z\"}}], \"cna\": {\"title\": \"Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP Netweaver (RMI-P4)\", \"versions\": [{\"status\": \"affected\", \"version\": \"SERVERCORE 7.50\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3670067\"}, {\"url\": \"https://me.sap.com/notes/3660659\"}, {\"url\": \"https://me.sap.com/notes/3634501\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application\u0027s confidentiality, integrity, and availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDue to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application\u0027s confidentiality, integrity, and availability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2025-11-12T18:23:36.628Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-42944\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T17:49:05.927Z\", \"dateReserved\": \"2025-04-16T13:25:37.187Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2025-09-09T02:11:39.754Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
NCSC-2025-0275
Vulnerability from csaf_ncscnl - Published: 2025-09-09 11:12 - Updated: 2025-09-09 11:12Summary
Kwetsbaarheden verholpen in SAP producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder in SAP NetWeaver, SAP NetWeaver Application Server Java en SAP Landscape Transformation.
Interpretaties: De kwetsbaarheden bevinden zich onder andere in de RMI-P4 module en de SAP NetWeaver AS Java platform.
De kwetsbaarheid met kenmerk CVE-2025-42944 betreft een deserialisatieprobleem dat kan worden misbruikt door niet-geauthenticeerde aanvallers, wat kan leiden tot willekeurige OS-commando-executie. Dit bedreigt de vertrouwelijkheid, integriteit en beschikbaarheid van de applicatie.
De kwetsbaarheid met kenmerk CVE-2025-42922 stelt geauthenticeerde niet-administratieve gebruikers in staat om willekeurige bestanden te uploaden via de Deploy Web Service-functie. Dit kan ook leiden tot compromittering van systeemvertrouwelijkheid, integriteit en beschikbaarheid.
Oplossingen: SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-250: Execution with Unnecessary Privileges
CWE-287: Improper Authentication
CWE-306: Missing Authentication for Critical Function
CWE-341: Predictable from Observable State
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-404: Improper Resource Shutdown or Release
CWE-502: Deserialization of Untrusted Data
CWE-521: Weak Password Requirements
CWE-522: Insufficiently Protected Credentials
CWE-606: Unchecked Input for Loop Condition
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
CWE-1287: Improper Validation of Specified Type of Input
CWE-1395: Dependency on Vulnerable Third-Party Component
7.5 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.6 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-404
- Improper Resource Shutdown or Release
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
7.4 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
7.7 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
5.0 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-862
- Missing Authorization
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.1 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.1 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.9 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
5.3 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-1395
- Dependency on Vulnerable Third-Party Component
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.1 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.5 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
8.8 (High)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
6.1 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
CWE-1022
- Use of Web Link to Untrusted Target with window.opener Access
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
10.0 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
9.1 (Critical)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
4.9 (Medium)
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business Planning and Consolidation
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver AS Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Business One (SLD)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori (Launchpad)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Fiori App (F4044 Manage Work Center Groups)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (Approve Timesheets Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP HCM (My Timesheet Fiori 2.0 application)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Landscape Transformation Replication Server
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver (Service Data Download)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Adobe Document Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (Deploy Web Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver AS Java (IIOP Service)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver Application Server for ABAP (Background Processing)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP NetWeaver and ABAP Platform (Service Data Collection)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP S/4HANA (Private Cloud or On-Premise)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
References
28 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder in SAP NetWeaver, SAP NetWeaver Application Server Java en SAP Landscape Transformation.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden bevinden zich onder andere in de RMI-P4 module en de SAP NetWeaver AS Java platform.\n\nDe kwetsbaarheid met kenmerk CVE-2025-42944 betreft een deserialisatieprobleem dat kan worden misbruikt door niet-geauthenticeerde aanvallers, wat kan leiden tot willekeurige OS-commando-executie. Dit bedreigt de vertrouwelijkheid, integriteit en beschikbaarheid van de applicatie.\n\nDe kwetsbaarheid met kenmerk CVE-2025-42922 stelt geauthenticeerde niet-administratieve gebruikers in staat om willekeurige bestanden te uploaden via de Deploy Web Service-functie. Dit kan ook leiden tot compromittering van systeemvertrouwelijkheid, integriteit en beschikbaarheid.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Predictable from Observable State",
"title": "CWE-341"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "general",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "Unchecked Input for Loop Condition",
"title": "CWE-606"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Use of Web Link to Untrusted Target with window.opener Access",
"title": "CWE-1022"
},
{
"category": "general",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "Dependency on Vulnerable Third-Party Component",
"title": "CWE-1395"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP producten",
"tracking": {
"current_release_date": "2025-09-09T11:12:22.945466Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.2"
}
},
"id": "NCSC-2025-0275",
"initial_release_date": "2025-09-09T11:12:22.945466Z",
"revision_history": [
{
"date": "2025-09-09T11:12:22.945466Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Business Planning and Consolidation"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "NetWeaver ABAP Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "NetWeaver AS Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Netweaver"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "SAP Business One (SLD)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "SAP Fiori (Launchpad)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "SAP Fiori App (F4044 Manage Work Center Groups)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "SAP HCM (Approve Timesheets Fiori 2.0 application)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "SAP HCM (My Timesheet Fiori 2.0 application)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "SAP Landscape Transformation Replication Server"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver (Service Data Download)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (Adobe Document Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-13"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (Deploy Web Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-14"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver AS Java (IIOP Service)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-15"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-16"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server for ABAP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-17"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver Application Server for ABAP (Background Processing)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-18"
}
}
],
"category": "product_name",
"name": "SAP NetWeaver and ABAP Platform (Service Data Collection)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-19"
}
}
],
"category": "product_name",
"name": "SAP Netweaver (RMI-P4)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-20"
}
}
],
"category": "product_name",
"name": "SAP S/4HANA (Private Cloud or On-Premise)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-21"
}
}
],
"category": "product_name",
"name": "Supplier Relationship Management"
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-5072",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-5072 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-5072.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-27500",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-27500 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2023/cve-2023-27500.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2023-27500"
},
{
"cve": "CVE-2024-13009",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-13009 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2024/cve-2024-13009.json"
}
],
"title": "CVE-2024-13009"
},
{
"cve": "CVE-2025-22228",
"cwe": {
"id": "CWE-521",
"name": "Weak Password Requirements"
},
"notes": [
{
"category": "other",
"text": "Weak Password Requirements",
"title": "CWE-521"
},
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-22228 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-22228.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-22228"
},
{
"cve": "CVE-2025-27428",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-27428 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-27428.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-27428"
},
{
"cve": "CVE-2025-42911",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42911 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42911.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42911"
},
{
"cve": "CVE-2025-42912",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42912 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42912.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42912"
},
{
"cve": "CVE-2025-42913",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42913 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42913.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42913"
},
{
"cve": "CVE-2025-42914",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42914 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42914.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42914"
},
{
"cve": "CVE-2025-42915",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42915 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42915.json"
}
],
"title": "CVE-2025-42915"
},
{
"cve": "CVE-2025-42916",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42916 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42916.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42916"
},
{
"cve": "CVE-2025-42917",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42917 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42917.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42917"
},
{
"cve": "CVE-2025-42918",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42918 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42918.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42918"
},
{
"cve": "CVE-2025-42920",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42920 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42920.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42920"
},
{
"cve": "CVE-2025-42922",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42922 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42922.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42922"
},
{
"cve": "CVE-2025-42923",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42923 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42923.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42923"
},
{
"cve": "CVE-2025-42925",
"cwe": {
"id": "CWE-341",
"name": "Predictable from Observable State"
},
"notes": [
{
"category": "other",
"text": "Predictable from Observable State",
"title": "CWE-341"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42925 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42925.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42925"
},
{
"cve": "CVE-2025-42926",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42926 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42926.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42926"
},
{
"cve": "CVE-2025-42927",
"cwe": {
"id": "CWE-1395",
"name": "Dependency on Vulnerable Third-Party Component"
},
"notes": [
{
"category": "other",
"text": "Dependency on Vulnerable Third-Party Component",
"title": "CWE-1395"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42927 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42927.json"
}
],
"title": "CVE-2025-42927"
},
{
"cve": "CVE-2025-42929",
"cwe": {
"id": "CWE-1287",
"name": "Improper Validation of Specified Type of Input"
},
"notes": [
{
"category": "other",
"text": "Improper Validation of Specified Type of Input",
"title": "CWE-1287"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42929 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42929.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42929"
},
{
"cve": "CVE-2025-42930",
"cwe": {
"id": "CWE-606",
"name": "Unchecked Input for Loop Condition"
},
"notes": [
{
"category": "other",
"text": "Unchecked Input for Loop Condition",
"title": "CWE-606"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42930 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42930.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42930"
},
{
"cve": "CVE-2025-42933",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"category": "other",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42933 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42933.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42933"
},
{
"cve": "CVE-2025-42938",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42938 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42938.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42938"
},
{
"cve": "CVE-2025-42941",
"cwe": {
"id": "CWE-1022",
"name": "Use of Web Link to Untrusted Target with window.opener Access"
},
"notes": [
{
"category": "other",
"text": "Use of Web Link to Untrusted Target with window.opener Access",
"title": "CWE-1022"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42941 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42941.json"
}
],
"title": "CVE-2025-42941"
},
{
"cve": "CVE-2025-42944",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42944 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42944.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42944"
},
{
"cve": "CVE-2025-42958",
"cwe": {
"id": "CWE-250",
"name": "Execution with Unnecessary Privileges"
},
"notes": [
{
"category": "other",
"text": "Execution with Unnecessary Privileges",
"title": "CWE-250"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42958 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42958.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42958"
},
{
"cve": "CVE-2025-42961",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42961 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42961.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12",
"CSAFPID-13",
"CSAFPID-14",
"CSAFPID-15",
"CSAFPID-16",
"CSAFPID-17",
"CSAFPID-18",
"CSAFPID-19",
"CSAFPID-20",
"CSAFPID-21"
]
}
],
"title": "CVE-2025-42961"
}
]
}
NCSC-2025-0323
Vulnerability from csaf_ncscnl - Published: 2025-10-17 08:04 - Updated: 2025-10-17 08:04Summary
Kwetsbaarheden verholpen in SAP Producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: SAP heeft kwetsbaarheden verholpen in diverse SAP producten.
Interpretaties: De kwetsbaarheden omvatten een deserialisatie kwetsbaarheid die ongeauthenticeerde aanvallers in staat stelt om willekeurige OS-commando's uit te voeren, en een CSRF-kwetsbaarheid die geauthenticeerde aanvallers in staat stelt om kritieke autorisatiecontroles te omzeilen. Daarnaast zijn er kwetsbaarheden die leiden tot ongeautoriseerde toegang tot gevoelige ABAP-code en de mogelijkheid om verwerkingsregels te verwijderen zonder de juiste autorisatie. Deze kwetsbaarheden kunnen leiden tot ernstige gevolgen voor de integriteit en vertrouwelijkheid van de applicatie.
Oplossingen: SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: medium
CWE-20: Improper Input Validation
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-35: Path Traversal: '.../...//'
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-204: Observable Response Discrepancy
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-400: Uncontrolled Resource Consumption
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-476: NULL Pointer Dereference
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-502: Deserialization of Untrusted Data
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-863: Incorrect Authorization
CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
A deserialization vulnerability in SAP NetWeaver's RMI-P4 module allows unauthenticated attackers to execute arbitrary OS commands, posing significant security risks.
10.0 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP Print Service (SAPSprint) contains a directory traversal vulnerability that allows unauthenticated attackers to manipulate path information, potentially compromising system files and affecting the application's confidentiality, integrity, and availability.
9.8 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP Supplier Relationship Management has an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary files, potentially leading to malware execution and compromising the application's confidentiality, integrity, and availability.
9.0 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
The 'MadeYouReset' vulnerability in HTTP/2 affects certain versions of Eclipse Jetty, allowing attackers to exploit malformed control frames for resource exhaustion and denial of service, alongside a related DoS vulnerability in SAP Commerce Cloud.
7.5 (High)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
Recent vulnerabilities in Apache CXF allow untrusted users to configure JMS with RMI or LDAP URLs, leading to potential code execution, with specific versions recommended for upgrade to address these issues.
9.8 (Critical)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP NetWeaver Application Server ABAP applications using SAP GUI for HTML have a vulnerability that allows attackers with administrative privileges to access sensitive user data stored in local browser storage.
6.0 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
The SAP Application Server for ABAP has vulnerabilities allowing authenticated attackers to execute malicious JavaScript payloads and perform code injection via the BAPI explorer and BAPI Browser, respectively.
5.4 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
A CSRF vulnerability in SAP NetWeaver Application Server for ABAP enables authenticated attackers to bypass authorization checks, leading to unauthorized transactions that compromise system integrity and confidentiality.
5.4 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP Commerce Cloud contains a directory traversal vulnerability that allows unauthorized access to the Administration Console from unintended addresses, posing a low risk to confidentiality.
5.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
A memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows unauthenticated attackers to crash the application server via corrupted SAP Logon or Assertion Tickets, impacting availability.
5.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP S/4HANA (Manage Processing Rules - For Bank Statements) has a vulnerability allowing authenticated attackers to delete shared rule conditions due to a missing authorization check, compromising application integrity.
4.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP NetWeaver has a vulnerability that enables attackers to bypass authorization checks, allowing unauthorized access to sensitive ABAP code and compromising confidentiality.
4.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
A vulnerability in SAP Financial Service Claims Management's RFC function ICL_USER_GET_NAME_AND_ADDRESS allows for user enumeration and potential personal data exposure, presenting a low confidentiality risk.
4.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
Recent vulnerabilities in Apache POI, Oracle Business Process Management Suite, and SAP BusinessObjects expose systems to risks including improper input validation, unauthenticated access, and deserialization issues.
6.3 (Medium)
Affected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
SAP Cloud Appliance Library Appliances have a security misconfiguration vulnerability that allows high-privilege attackers to exploit insecure default profile settings to access other appliances, posing a low risk to confidentiality.
CWE-1004 - Sensitive Cookie Without 'HttpOnly' FlagAffected products
Known affected
11 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Cloud Appliance Library Appliances
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Financial Service Claims Management
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver AS ABAP and ABAP Platform
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Print Service
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Commerce Cloud
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Supplier Relationship Management
|
vers:unknown/* |
References
15 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in diverse SAP producten.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten een deserialisatie kwetsbaarheid die ongeauthenticeerde aanvallers in staat stelt om willekeurige OS-commando\u0027s uit te voeren, en een CSRF-kwetsbaarheid die geauthenticeerde aanvallers in staat stelt om kritieke autorisatiecontroles te omzeilen. Daarnaast zijn er kwetsbaarheden die leiden tot ongeautoriseerde toegang tot gevoelige ABAP-code en de mogelijkheid om verwerkingsregels te verwijderen zonder de juiste autorisatie. Deze kwetsbaarheden kunnen leiden tot ernstige gevolgen voor de integriteit en vertrouwelijkheid van de applicatie.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "medium",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Path Traversal: \u0027.../...//\u0027",
"title": "CWE-35"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "general",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "general",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"title": "CWE-1004"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"title": "Kwetsbaarheden verholpen in SAP Producten",
"tracking": {
"current_release_date": "2025-10-17T08:04:54.828451Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0323",
"initial_release_date": "2025-10-17T08:04:54.828451Z",
"revision_history": [
{
"date": "2025-10-17T08:04:54.828451Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Application Server for ABAP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "Cloud Appliance Library Appliances"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "Commerce Cloud"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "Financial Service Claims Management"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "NetWeaver Application Server for ABAP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "Netweaver"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "Netweaver AS ABAP and ABAP Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "Print Service"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "S4HANA"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "SAP Commerce Cloud"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "Supplier Relationship Management"
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-42944",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "A deserialization vulnerability in SAP NetWeaver\u0027s RMI-P4 module allows unauthenticated attackers to execute arbitrary OS commands, posing significant security risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42944 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42944.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42944"
},
{
"cve": "CVE-2025-42937",
"cwe": {
"id": "CWE-35",
"name": "Path Traversal: \u0027.../...//\u0027"
},
"notes": [
{
"category": "other",
"text": "Path Traversal: \u0027.../...//\u0027",
"title": "CWE-35"
},
{
"category": "description",
"text": "SAP Print Service (SAPSprint) contains a directory traversal vulnerability that allows unauthenticated attackers to manipulate path information, potentially compromising system files and affecting the application\u0027s confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42937 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42937.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42937"
},
{
"cve": "CVE-2025-42910",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "other",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "description",
"text": "SAP Supplier Relationship Management has an unrestricted file upload vulnerability that allows authenticated attackers to upload arbitrary files, potentially leading to malware execution and compromising the application\u0027s confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42910 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42910.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42910"
},
{
"cve": "CVE-2025-5115",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "description",
"text": "The \u0027MadeYouReset\u0027 vulnerability in HTTP/2 affects certain versions of Eclipse Jetty, allowing attackers to exploit malformed control frames for resource exhaustion and denial of service, alongside a related DoS vulnerability in SAP Commerce Cloud.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-5115 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-5115.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-5115"
},
{
"cve": "CVE-2025-48913",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "Recent vulnerabilities in Apache CXF allow untrusted users to configure JMS with RMI or LDAP URLs, leading to potential code execution, with specific versions recommended for upgrade to address these issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-48913 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-48913.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-48913"
},
{
"cve": "CVE-2025-0059",
"cwe": {
"id": "CWE-497",
"name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"title": "CWE-497"
},
{
"category": "description",
"text": "SAP NetWeaver Application Server ABAP applications using SAP GUI for HTML have a vulnerability that allows attackers with administrative privileges to access sensitive user data stored in local browser storage.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-0059 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-0059.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-0059"
},
{
"cve": "CVE-2025-42901",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "The SAP Application Server for ABAP has vulnerabilities allowing authenticated attackers to execute malicious JavaScript payloads and perform code injection via the BAPI explorer and BAPI Browser, respectively.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42901 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42901.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42901"
},
{
"cve": "CVE-2025-42908",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "description",
"text": "A CSRF vulnerability in SAP NetWeaver Application Server for ABAP enables authenticated attackers to bypass authorization checks, leading to unauthorized transactions that compromise system integrity and confidentiality.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42908 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42908.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42908"
},
{
"cve": "CVE-2025-42906",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "SAP Commerce Cloud contains a directory traversal vulnerability that allows unauthorized access to the Administration Console from unintended addresses, posing a low risk to confidentiality.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42906 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42906.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42906"
},
{
"cve": "CVE-2025-42902",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"notes": [
{
"category": "other",
"text": "NULL Pointer Dereference",
"title": "CWE-476"
},
{
"category": "description",
"text": "A memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows unauthenticated attackers to crash the application server via corrupted SAP Logon or Assertion Tickets, impacting availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42902 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42902.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42902"
},
{
"cve": "CVE-2025-42939",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "description",
"text": "SAP S/4HANA (Manage Processing Rules - For Bank Statements) has a vulnerability allowing authenticated attackers to delete shared rule conditions due to a missing authorization check, compromising application integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42939 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42939.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42939"
},
{
"cve": "CVE-2025-31331",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "description",
"text": "SAP NetWeaver has a vulnerability that enables attackers to bypass authorization checks, allowing unauthorized access to sensitive ABAP code and compromising confidentiality.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-31331 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31331.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-31331"
},
{
"cve": "CVE-2025-42903",
"cwe": {
"id": "CWE-204",
"name": "Observable Response Discrepancy"
},
"notes": [
{
"category": "other",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "description",
"text": "A vulnerability in SAP Financial Service Claims Management\u0027s RFC function ICL_USER_GET_NAME_AND_ADDRESS allows for user enumeration and potential personal data exposure, presenting a low confidentiality risk.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42903 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42903.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42903"
},
{
"cve": "CVE-2025-31672",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "Recent vulnerabilities in Apache POI, Oracle Business Process Management Suite, and SAP BusinessObjects expose systems to risks including improper input validation, unauthenticated access, and deserialization issues.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-31672 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-31672.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-31672"
},
{
"cve": "CVE-2025-42909",
"cwe": {
"id": "CWE-1004",
"name": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag"
},
"notes": [
{
"category": "other",
"text": "Sensitive Cookie Without \u0027HttpOnly\u0027 Flag",
"title": "CWE-1004"
},
{
"category": "description",
"text": "SAP Cloud Appliance Library Appliances have a security misconfiguration vulnerability that allows high-privilege attackers to exploit insecure default profile settings to access other appliances, posing a low risk to confidentiality.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42909 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42909.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.0,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11"
]
}
],
"title": "CVE-2025-42909"
}
]
}
NCSC-2025-0356
Vulnerability from csaf_ncscnl - Published: 2025-11-11 12:15 - Updated: 2025-11-11 12:15Summary
Kwetsbaarheden verholpen in SAP-producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder SAP NetWeaver, SAP Business Connector, SAP HANA, en SAP S/4HANA.
Interpretaties: De kwetsbaarheden omvatten onder andere deserialisatie, code-injectie, onvoldoende validatie, en informatie openbaarmaking. Deze kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen, schadelijke code uit te voeren, of gevoelige informatie te lekken. De impact varieert van compromittering van vertrouwelijkheid en integriteit tot volledige systeemcompromittering, afhankelijk van de specifieke kwetsbaarheid en de context van gebruik.
De ernstigste kwetsbaarheid heeft kenmerk CVE-2025-42944 toegewezen gekregen en bevindt zich in Netweaver. Een kwaadwillende op afstand kan de kwetsbaarheid zonder voorafgaande authenticatie misbruiken om willekeurige code uit te voeren in de context van de Netweaver service.
Oplossingen: SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-306: Missing Authentication for Critical Function
CWE-316: Cleartext Storage of Sensitive Information in Memory
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-502: Deserialization of Untrusted Data
CWE-522: Insufficiently Protected Credentials
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-787: Out-of-bounds Write
CWE-798: Use of Hard-coded Credentials
CWE-862: Missing Authorization
CWE-943: Improper Neutralization of Special Elements in Data Query Logic
The SQL Anywhere Monitor (Non-GUI) contains baked credentials and vulnerabilities related to insecure key and secret management, posing significant risks to system confidentiality, integrity, and availability.
10.0 (Critical)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
A deserialization vulnerability in SAP NetWeaver's RMI-P4 module allows unauthenticated attackers to execute arbitrary OS commands, posing significant security risks.
10.0 (Critical)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP Solution Manager has a code injection vulnerability due to inadequate input sanitation, allowing authenticated attackers to execute malicious code and potentially gain full control of the system.
9.9 (Critical)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP CommonCryptoLib has a memory corruption vulnerability due to insufficient boundary checks during pre-authentication parsing of manipulated ASN.1 data, potentially leading to application crashes.
7.5 (High)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
The SAP HANA JDBC Client has a code injection vulnerability due to inadequate validation of connection property values, allowing high-privilege users to inject parameters that can lead to unauthorized code loading.
6.9 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
An OS Command Injection vulnerability in SAP Business Connector allows authenticated attackers with administrative access to upload malicious content, potentially compromising the entire system.
6.8 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
A Path Traversal vulnerability in SAP Business Connector allows authenticated administrators to manipulate host system files, risking the system's confidentiality, integrity, and availability.
6.8 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP NetWeaver Enterprise Portal is susceptible to JNDI injection, enabling unauthenticated attackers to manipulate JNDI properties and potentially gain unauthorized access to server information.
6.5 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
The SAP E-Recruiting BSP in the SAP S/4HANA landscape has an open redirect vulnerability that allows unauthenticated attackers to create malicious links, posing a risk of redirecting users to attacker-controlled pages.
6.1 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
An Open Redirect vulnerability in SAP Business Connector enables unauthenticated attackers to craft malicious URLs that redirect users to attacker-controlled sites, risking sensitive information exposure.
6.1 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
A reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector allows unauthenticated attackers to execute harmful content in the browser of authenticated users via malicious links.
6.1 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP HANA 2.0 (hdbrss) has a vulnerability due to missing authentication, allowing unauthenticated access to remote-enabled functions, with low risk to confidentiality.
5.8 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP GUI for Windows contains a high-risk information disclosure vulnerability that allows privileged users to access sensitive process memory, impacting confidentiality without affecting integrity or availability.
5.5 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
The SAP Starter Solution contains a SQL Injection vulnerability that allows authenticated attackers to execute crafted database queries, posing a low risk to confidentiality and integrity.
5.4 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
An Information Disclosure vulnerability in SAP NetWeaver Application Server Java allows unauthenticated attackers to access sensitive internal metadata files, compromising confidentiality without affecting integrity or availability.
5.3 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
An information disclosure vulnerability in the anonymous API of SAP Business One (SLD) allows unauthorized information access to attackers with normal user privileges, posing a low confidentiality risk.
5.3 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
SAP S4CORE (Manage Journal Entries) has a missing authorization check for authenticated users, which may lead to privilege escalation with low impact on confidentiality.
4.3 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
A vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated attackers to execute a function module, accessing restricted technical information due to a missing authorization check, posing a low confidentiality risk.
4.3 (Medium)
Affected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
The Migration Workbench in SAP NetWeaver Application Server for ABAP has vulnerabilities related to malware scan failures and insecure file operations, allowing potential upload of malicious files by attackers with administrative privileges.
CWE-434 - Unrestricted Upload of File with Dangerous TypeAffected products
Known affected
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
SAP / Business One
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / GUI for Windows
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / HANA JDBC Client
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server Java
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Application Server for ABAP
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / NetWeaver Enterprise Portal
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Netweaver
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / S4CORE
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SAP Netweaver (RMI-P4)
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / SQL Anywhere Monitor
|
vers:unknown/* | ||
|
vers:unknown/*
SAP / Solution Manager
|
vers:unknown/* |
References
20 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in verschillende producten, waaronder SAP NetWeaver, SAP Business Connector, SAP HANA, en SAP S/4HANA.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden omvatten onder andere deserialisatie, code-injectie, onvoldoende validatie, en informatie openbaarmaking. Deze kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen, schadelijke code uit te voeren, of gevoelige informatie te lekken. De impact varieert van compromittering van vertrouwelijkheid en integriteit tot volledige systeemcompromittering, afhankelijk van de specifieke kwetsbaarheid en de context van gebruik.\n\nDe ernstigste kwetsbaarheid heeft kenmerk CVE-2025-42944 toegewezen gekregen en bevindt zich in Netweaver. Een kwaadwillende op afstand kan de kwetsbaarheid zonder voorafgaande authenticatie misbruiken om willekeurige code uit te voeren in de context van de Netweaver service.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Cleartext Storage of Sensitive Information in Memory",
"title": "CWE-316"
},
{
"category": "general",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "general",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Use of Hard-coded Credentials",
"title": "CWE-798"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements in Data Query Logic",
"title": "CWE-943"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november-2025.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP-producten",
"tracking": {
"current_release_date": "2025-11-11T12:15:53.615720Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2025-0356",
"initial_release_date": "2025-11-11T12:15:53.615720Z",
"revision_history": [
{
"date": "2025-11-11T12:15:53.615720Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "Business One"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-2"
}
}
],
"category": "product_name",
"name": "GUI for Windows"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-3"
}
}
],
"category": "product_name",
"name": "HANA"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-4"
}
}
],
"category": "product_name",
"name": "HANA JDBC Client"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-5"
}
}
],
"category": "product_name",
"name": "NetWeaver Application Server Java"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-6"
}
}
],
"category": "product_name",
"name": "NetWeaver Application Server for ABAP"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-7"
}
}
],
"category": "product_name",
"name": "NetWeaver Enterprise Portal"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-8"
}
}
],
"category": "product_name",
"name": "Netweaver"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-9"
}
}
],
"category": "product_name",
"name": "S4CORE"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-10"
}
}
],
"category": "product_name",
"name": "SAP Netweaver (RMI-P4)"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-11"
}
}
],
"category": "product_name",
"name": "SQL Anywhere Monitor"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-12"
}
}
],
"category": "product_name",
"name": "Solution Manager"
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-42890",
"cwe": {
"id": "CWE-798",
"name": "Use of Hard-coded Credentials"
},
"notes": [
{
"category": "other",
"text": "Use of Hard-coded Credentials",
"title": "CWE-798"
},
{
"category": "description",
"text": "The SQL Anywhere Monitor (Non-GUI) contains baked credentials and vulnerabilities related to insecure key and secret management, posing significant risks to system confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42890 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42890.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42890"
},
{
"cve": "CVE-2025-42944",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "description",
"text": "A deserialization vulnerability in SAP NetWeaver\u0027s RMI-P4 module allows unauthenticated attackers to execute arbitrary OS commands, posing significant security risks.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42944 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42944.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42944"
},
{
"cve": "CVE-2025-42887",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "SAP Solution Manager has a code injection vulnerability due to inadequate input sanitation, allowing authenticated attackers to execute malicious code and potentially gain full control of the system.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42887 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42887.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42887"
},
{
"cve": "CVE-2025-42940",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "description",
"text": "SAP CommonCryptoLib has a memory corruption vulnerability due to insufficient boundary checks during pre-authentication parsing of manipulated ASN.1 data, potentially leading to application crashes.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42940 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42940.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42940"
},
{
"cve": "CVE-2025-42895",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "description",
"text": "The SAP HANA JDBC Client has a code injection vulnerability due to inadequate validation of connection property values, allowing high-privilege users to inject parameters that can lead to unauthorized code loading.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42895 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42895.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42895"
},
{
"cve": "CVE-2025-42892",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "An OS Command Injection vulnerability in SAP Business Connector allows authenticated attackers with administrative access to upload malicious content, potentially compromising the entire system.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42892 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42892.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42892"
},
{
"cve": "CVE-2025-42894",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "A Path Traversal vulnerability in SAP Business Connector allows authenticated administrators to manipulate host system files, risking the system\u0027s confidentiality, integrity, and availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42894 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42894.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42894"
},
{
"cve": "CVE-2025-42884",
"cwe": {
"id": "CWE-943",
"name": "Improper Neutralization of Special Elements in Data Query Logic"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements in Data Query Logic",
"title": "CWE-943"
},
{
"category": "description",
"text": "SAP NetWeaver Enterprise Portal is susceptible to JNDI injection, enabling unauthenticated attackers to manipulate JNDI properties and potentially gain unauthorized access to server information.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42884 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42884.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42884"
},
{
"cve": "CVE-2025-42924",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "description",
"text": "The SAP E-Recruiting BSP in the SAP S/4HANA landscape has an open redirect vulnerability that allows unauthenticated attackers to create malicious links, posing a risk of redirecting users to attacker-controlled pages.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42924 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42924.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42924"
},
{
"cve": "CVE-2025-42893",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "description",
"text": "An Open Redirect vulnerability in SAP Business Connector enables unauthenticated attackers to craft malicious URLs that redirect users to attacker-controlled sites, risking sensitive information exposure.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42893 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42893.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42893"
},
{
"cve": "CVE-2025-42886",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "description",
"text": "A reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector allows unauthenticated attackers to execute harmful content in the browser of authenticated users via malicious links.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42886 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42886.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42886"
},
{
"cve": "CVE-2025-42885",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "description",
"text": "SAP HANA 2.0 (hdbrss) has a vulnerability due to missing authentication, allowing unauthenticated access to remote-enabled functions, with low risk to confidentiality.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42885 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42885.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42885"
},
{
"cve": "CVE-2025-42888",
"cwe": {
"id": "CWE-316",
"name": "Cleartext Storage of Sensitive Information in Memory"
},
"notes": [
{
"category": "other",
"text": "Cleartext Storage of Sensitive Information in Memory",
"title": "CWE-316"
},
{
"category": "description",
"text": "SAP GUI for Windows contains a high-risk information disclosure vulnerability that allows privileged users to access sensitive process memory, impacting confidentiality without affecting integrity or availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42888 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42888.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42888"
},
{
"cve": "CVE-2025-42889",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"title": "CWE-89"
},
{
"category": "description",
"text": "The SAP Starter Solution contains a SQL Injection vulnerability that allows authenticated attackers to execute crafted database queries, posing a low risk to confidentiality and integrity.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42889 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42889.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42889"
},
{
"cve": "CVE-2025-42919",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "description",
"text": "An Information Disclosure vulnerability in SAP NetWeaver Application Server Java allows unauthenticated attackers to access sensitive internal metadata files, compromising confidentiality without affecting integrity or availability.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42919 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42919.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42919"
},
{
"cve": "CVE-2025-42897",
"cwe": {
"id": "CWE-522",
"name": "Insufficiently Protected Credentials"
},
"notes": [
{
"category": "other",
"text": "Insufficiently Protected Credentials",
"title": "CWE-522"
},
{
"category": "description",
"text": "An information disclosure vulnerability in the anonymous API of SAP Business One (SLD) allows unauthorized information access to attackers with normal user privileges, posing a low confidentiality risk.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42897 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42897.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42897"
},
{
"cve": "CVE-2025-42899",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "SAP S4CORE (Manage Journal Entries) has a missing authorization check for authenticated users, which may lead to privilege escalation with low impact on confidentiality.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42899 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42899.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42899"
},
{
"cve": "CVE-2025-42882",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "description",
"text": "A vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated attackers to execute a function module, accessing restricted technical information due to a missing authorization check, posing a low confidentiality risk.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42882 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42882.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42882"
},
{
"cve": "CVE-2025-42883",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "other",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "description",
"text": "The Migration Workbench in SAP NetWeaver Application Server for ABAP has vulnerabilities related to malware scan failures and insecure file operations, allowing potential upload of malicious files by attackers with administrative privileges.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-42883 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-42883.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1",
"CSAFPID-2",
"CSAFPID-3",
"CSAFPID-4",
"CSAFPID-5",
"CSAFPID-6",
"CSAFPID-7",
"CSAFPID-8",
"CSAFPID-9",
"CSAFPID-10",
"CSAFPID-11",
"CSAFPID-12"
]
}
],
"title": "CVE-2025-42883"
}
]
}
WID-SEC-W-2025-1989
Vulnerability from csaf_certbund - Published: 2025-09-08 22:00 - Updated: 2025-09-23 22:00Summary
SAP Patchday September 2025: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff: Ein Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuführen oder andere nicht näher spezifizierte Auswirkungen zu verursachen.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SAP Software
SAP
|
cpe:/a:sap:sap:-
|
— |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand herbeizuf\u00fchren oder andere nicht n\u00e4her spezifizierte Auswirkungen zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1989 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1989.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1989 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1989"
},
{
"category": "external",
"summary": "SAP Patchday September 2025 vom 2025-09-08",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html"
}
],
"source_lang": "en-US",
"title": "SAP Patchday September 2025: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-09-23T22:00:00.000+00:00",
"generator": {
"date": "2025-09-24T05:11:07.916+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2025-1989",
"initial_release_date": "2025-09-08T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-09-08T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-09-23T22:00:00.000+00:00",
"number": "2",
"summary": "CVE-2025-42907 erg\u00e4nzt"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SAP Software",
"product": {
"name": "SAP Software",
"product_id": "T046772",
"product_identification_helper": {
"cpe": "cpe:/a:sap:sap:-"
}
}
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-27500",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2023-27500"
},
{
"cve": "CVE-2023-5072",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2024-13009",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2024-13009"
},
{
"cve": "CVE-2025-22228",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-22228"
},
{
"cve": "CVE-2025-27428",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-27428"
},
{
"cve": "CVE-2025-42907",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42907"
},
{
"cve": "CVE-2025-42911",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42911"
},
{
"cve": "CVE-2025-42912",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42912"
},
{
"cve": "CVE-2025-42913",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42913"
},
{
"cve": "CVE-2025-42914",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42914"
},
{
"cve": "CVE-2025-42915",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42915"
},
{
"cve": "CVE-2025-42916",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42916"
},
{
"cve": "CVE-2025-42917",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42917"
},
{
"cve": "CVE-2025-42918",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42918"
},
{
"cve": "CVE-2025-42920",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42920"
},
{
"cve": "CVE-2025-42922",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42922"
},
{
"cve": "CVE-2025-42923",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42923"
},
{
"cve": "CVE-2025-42925",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42925"
},
{
"cve": "CVE-2025-42926",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42926"
},
{
"cve": "CVE-2025-42927",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42927"
},
{
"cve": "CVE-2025-42929",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42929"
},
{
"cve": "CVE-2025-42930",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42930"
},
{
"cve": "CVE-2025-42933",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42933"
},
{
"cve": "CVE-2025-42938",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42938"
},
{
"cve": "CVE-2025-42941",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42941"
},
{
"cve": "CVE-2025-42944",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42944"
},
{
"cve": "CVE-2025-42958",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42958"
},
{
"cve": "CVE-2025-42961",
"product_status": {
"known_affected": [
"T046772"
]
},
"release_date": "2025-09-08T22:00:00.000+00:00",
"title": "CVE-2025-42961"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…