cnvd - cnvd-2025-21202

CNVD-2025-21202

Vulnerability from cnvd - Published: 2025-09-12

Title

SAP Fiori App Manage Work Center Groups跨站请求伪造漏洞

Description

SAP Fiori App Manage Work Center Groups是德国思爱普（SAP）公司的一个具有管理和维护工作中心组功能的企业应用。 SAP Fiori App Manage Work Center Groups存在跨站请求伪造漏洞，该漏洞源于CSRF保护不足，攻击者可利用该漏洞导致发送意外请求。

Severity

中

Patch Name

SAP Fiori App Manage Work Center Groups跨站请求伪造漏洞的补丁

Patch Description

SAP Fiori App Manage Work Center Groups是德国思爱普（SAP）公司的一个具有管理和维护工作中心组功能的企业应用。 SAP Fiori App Manage Work Center Groups存在跨站请求伪造漏洞，该漏洞源于CSRF保护不足，攻击者可利用该漏洞导致发送意外请求。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://me.sap.com/notes/3450692

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-42923

Impacted products

Name
['SAP Fiori App Manage Work Center Groups UIS4HOP1 600', 'SAP Fiori App Manage Work Center Groups 700', 'SAP Fiori App Manage Work Center Groups 800', 'SAP Fiori App Manage Work Center Groups 900']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-42923",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-42923"
    }
  },
  "description": "SAP Fiori App Manage Work Center Groups\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5177\u6709\u7ba1\u7406\u548c\u7ef4\u62a4\u5de5\u4f5c\u4e2d\u5fc3\u7ec4\u529f\u80fd\u7684\u4f01\u4e1a\u5e94\u7528\u3002\n\nSAP Fiori App Manage Work Center Groups\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eCSRF\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u53d1\u9001\u610f\u5916\u8bf7\u6c42\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://me.sap.com/notes/3450692",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-21202",
  "openTime": "2025-09-12",
  "patchDescription": "SAP Fiori App Manage Work Center Groups\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5177\u6709\u7ba1\u7406\u548c\u7ef4\u62a4\u5de5\u4f5c\u4e2d\u5fc3\u7ec4\u529f\u80fd\u7684\u4f01\u4e1a\u5e94\u7528\u3002\r\n\r\nSAP Fiori App Manage Work Center Groups\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eCSRF\u4fdd\u62a4\u4e0d\u8db3\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u53d1\u9001\u610f\u5916\u8bf7\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Fiori App Manage Work Center Groups\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP Fiori App Manage Work Center Groups UIS4HOP1 600",
      "SAP Fiori App Manage Work Center Groups 700",
      "SAP Fiori App Manage Work Center Groups 800",
      "SAP Fiori App Manage Work Center Groups 900"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-42923",
  "serverity": "\u4e2d",
  "submitTime": "2025-09-11",
  "title": "SAP Fiori App Manage Work Center Groups\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

CVE-2025-42923 (GCVE-0-2025-42923)

Vulnerability from cvelistv5 – Published: 2025-09-09 02:09 – Updated: 2025-09-09 14:31

Summary

Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the application.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/3450692
	https://url.sap/sapsecuritypatchday

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP Fiori App (F4044 Manage Work Center Groups)	Affected: UIS4HOP1 600 Affected: 700 Affected: 800 Affected: 900

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-42923",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-09T14:29:47.996595Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-09T14:31:26.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Fiori App (F4044 Manage Work Center Groups)",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "UIS4HOP1 600"
            },
            {
              "status": "affected",
              "version": "700"
            },
            {
              "status": "affected",
              "version": "800"
            },
            {
              "status": "affected",
              "version": "900"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDue to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the application.\u003c/p\u003e"
            }
          ],
          "value": "Due to insufficient CSRF protection in SAP Fiori App Manage Work Center Groups, an authenticated user could be tricked by an attacker to send unintended request to the web server. This has low impact on integrity and no impact on confidentiality and availability of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T02:09:47.744Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3450692"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2025-42923",
    "datePublished": "2025-09-09T02:09:47.744Z",
    "dateReserved": "2025-04-16T13:25:32.384Z",
    "dateUpdated": "2025-09-09T14:31:26.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-21202

CVE-2025-42923 (GCVE-0-2025-42923)

Tags

Sightings

Nomenclature