Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-0054 (GCVE-0-2025-0054)
Vulnerability from cvelistv5 – Published: 2025-02-11 00:32 – Updated: 2025-02-18 18:08
VLAI?
EPSS
Summary
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP NetWeaver Application Server Java |
Affected:
EP-BASIS 7.50
Affected: FRAMEWORK-EXT 7.50 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T05:53:48.712687Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:08:26.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP NetWeaver Application Server Java",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "EP-BASIS 7.50"
},
{
"status": "affected",
"version": "FRAMEWORK-EXT 7.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.\u003c/p\u003e"
}
],
"value": "SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T00:32:57.017Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3526203"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-0054",
"datePublished": "2025-02-11T00:32:57.017Z",
"dateReserved": "2024-12-05T21:37:30.337Z",
"dateUpdated": "2025-02-18T18:08:26.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-0054\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2025-02-11T01:15:09.650\",\"lastModified\":\"2025-02-18T18:15:28.260\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.\"},{\"lang\":\"es\",\"value\":\"El servidor de aplicaciones Java de SAP NetWeaver no gestiona adecuadamente la entrada del usuario, lo que da lugar a una vulnerabilidad Cross-Site Scripting Almacenado. La aplicaci\u00f3n permite a los atacantes con privilegios de usuario b\u00e1sicos almacenar un payload Javascript en el servidor, que podr\u00eda ejecutarse posteriormente en el navegador web de la v\u00edctima. Con esto, el atacante podr\u00eda leer o modificar informaci\u00f3n asociada a la p\u00e1gina web vulnerable.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@sap.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"cna@sap.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://me.sap.com/notes/3526203\",\"source\":\"cna@sap.com\"},{\"url\":\"https://url.sap/sapsecuritypatchday\",\"source\":\"cna@sap.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-0054\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-11T05:53:48.712687Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-11T05:55:03.726Z\"}}], \"cna\": {\"title\": \"Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP NetWeaver Application Server Java\", \"versions\": [{\"status\": \"affected\", \"version\": \"EP-BASIS 7.50\"}, {\"status\": \"affected\", \"version\": \"FRAMEWORK-EXT 7.50\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3526203\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2025-02-11T00:32:57.017Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-0054\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-18T18:08:26.569Z\", \"dateReserved\": \"2024-12-05T21:37:30.337Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2025-02-11T00:32:57.017Z\", \"assignerShortName\": \"sap\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
CNVD-2025-03269
Vulnerability from cnvd - Published: 2025-02-20
VLAI Severity ?
Title
SAP NetWeaver Application Server Java跨站脚本漏洞
Description
SAP NetWeaver Application Server Java是德国思爱普(SAP)公司的一款提供了Java运行环境的应用程序服务器。该产品主要用于开发和运行Java EE应用程序。
SAP NetWeaver Application Server Java存在跨站脚本漏洞,远程攻击者可利用该漏洞注入恶意脚本或HTML代码,当恶意数据被查看时,可获取敏感信息或劫持用户会话。
Severity
中
Patch Name
SAP NetWeaver Application Server Java跨站脚本漏洞的补丁
Patch Description
SAP NetWeaver Application Server Java是德国思爱普(SAP)公司的一款提供了Java运行环境的应用程序服务器。该产品主要用于开发和运行Java EE应用程序。
SAP NetWeaver Application Server Java存在跨站脚本漏洞,远程攻击者可利用该漏洞注入恶意脚本或HTML代码,当恶意数据被查看时,可获取敏感信息或劫持用户会话。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html
Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-2173
Impacted products
| Name | SAP SAP NetWeaver Application Server Java null |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2025-0054",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-0054"
}
},
"description": "SAP NetWeaver Application Server Java\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u63d0\u4f9b\u4e86Java\u8fd0\u884c\u73af\u5883\u7684\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u548c\u8fd0\u884cJava EE\u5e94\u7528\u7a0b\u5e8f\u3002 \n\nSAP NetWeaver Application Server Java\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2025-03269",
"openTime": "2025-02-20",
"patchDescription": "SAP NetWeaver Application Server Java\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u63d0\u4f9b\u4e86Java\u8fd0\u884c\u73af\u5883\u7684\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u548c\u8fd0\u884cJava EE\u5e94\u7528\u7a0b\u5e8f\u3002 \r\n\r\nSAP NetWeaver Application Server Java\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\uff0c\u5f53\u6076\u610f\u6570\u636e\u88ab\u67e5\u770b\u65f6\uff0c\u53ef\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u6216\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "SAP NetWeaver Application Server Java\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "SAP SAP NetWeaver Application Server Java null"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-2173",
"serverity": "\u4e2d",
"submitTime": "2025-02-19",
"title": "SAP NetWeaver Application Server Java\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
CERTFR-2025-AVI-0114
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de sécurité | ||
| SAP | N/A | Enterprise Project Connection version 3.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Enterprise Project Connection version 3.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-24874",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24874"
},
{
"name": "CVE-2025-24875",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24875"
},
{
"name": "CVE-2025-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
},
{
"name": "CVE-2023-24527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24527"
},
{
"name": "CVE-2025-0064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0064"
},
{
"name": "CVE-2024-38819",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
},
{
"name": "CVE-2024-38820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
},
{
"name": "CVE-2025-23189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23189"
},
{
"name": "CVE-2025-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23193"
},
{
"name": "CVE-2025-23187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23187"
},
{
"name": "CVE-2025-24870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24870"
},
{
"name": "CVE-2025-25241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25241"
},
{
"name": "CVE-2024-45216",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45216"
},
{
"name": "CVE-2025-24876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24876"
},
{
"name": "CVE-2025-23190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23190"
},
{
"name": "CVE-2024-22126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
},
{
"name": "CVE-2025-25243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25243"
},
{
"name": "CVE-2024-45217",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45217"
},
{
"name": "CVE-2025-0054",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0054"
},
{
"name": "CVE-2024-38828",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
},
{
"name": "CVE-2025-24867",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24867"
},
{
"name": "CVE-2025-24868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24868"
},
{
"name": "CVE-2025-24869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24869"
},
{
"name": "CVE-2025-24872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24872"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0114",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-02-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
]
}
CERTFR-2025-AVI-0114
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| SAP | N/A | HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de sécurité | ||
| SAP | N/A | Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de sécurité | ||
| SAP | N/A | Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité | ||
| SAP | N/A | GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de sécurité | ||
| SAP | N/A | Enterprise Project Connection version 3.0 sans le dernier correctif de sécurité | ||
| SAP | N/A | ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité | ||
| SAP | N/A | NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de sécurité |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "HANA extended application services, advanced model (User Account and Authentication Services) version SAP_EXTENDED_APP_SERVICES 1 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori for ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Platform (BI Launchpad) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP platform (ST-PI) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java version WD-RUNTIME 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Fiori Apps Reference Library (My Overtime Requests) version GBX01HR5 605 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce (Backoffice) versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Application Server Java versions EP-BASIS 7.50 et FRAMEWORK-EXT 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver and ABAP Platform (SDCCN) versions ST-PI 2008_1_700, ST-PI 2008_1_710 et ST-PI 740 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver Server ABAP versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java for Deploy Service versions ENGINEAPI 7.50 et SERVERCORE 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Commerce versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "GUI for Windows version BC-FES-GUI 8.00 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "Enterprise Project Connection version 3.0 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "ABAP Platform (ABAP Build Framework) versions SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
},
{
"description": "NetWeaver AS Java (User Admin Application) version 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "SAP",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-24874",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24874"
},
{
"name": "CVE-2025-24875",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24875"
},
{
"name": "CVE-2025-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
},
{
"name": "CVE-2023-24527",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24527"
},
{
"name": "CVE-2025-0064",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0064"
},
{
"name": "CVE-2024-38819",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38819"
},
{
"name": "CVE-2024-38820",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38820"
},
{
"name": "CVE-2025-23189",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23189"
},
{
"name": "CVE-2025-23193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23193"
},
{
"name": "CVE-2025-23187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23187"
},
{
"name": "CVE-2025-24870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24870"
},
{
"name": "CVE-2025-25241",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25241"
},
{
"name": "CVE-2024-45216",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45216"
},
{
"name": "CVE-2025-24876",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24876"
},
{
"name": "CVE-2025-23190",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23190"
},
{
"name": "CVE-2024-22126",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22126"
},
{
"name": "CVE-2025-25243",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25243"
},
{
"name": "CVE-2024-45217",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45217"
},
{
"name": "CVE-2025-0054",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-0054"
},
{
"name": "CVE-2024-38828",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38828"
},
{
"name": "CVE-2025-24867",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24867"
},
{
"name": "CVE-2025-24868",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24868"
},
{
"name": "CVE-2025-24869",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24869"
},
{
"name": "CVE-2025-24872",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24872"
}
],
"links": [],
"reference": "CERTFR-2025-AVI-0114",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-02-11T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
"vendor_advisories": [
{
"published_at": "2025-02-10",
"title": "Bulletin de s\u00e9curit\u00e9 SAP february-2025",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
]
}
FKIE_CVE-2025-0054
Vulnerability from fkie_nvd - Published: 2025-02-11 01:15 - Updated: 2025-02-18 18:15
Severity ?
Summary
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page."
},
{
"lang": "es",
"value": "El servidor de aplicaciones Java de SAP NetWeaver no gestiona adecuadamente la entrada del usuario, lo que da lugar a una vulnerabilidad Cross-Site Scripting Almacenado. La aplicaci\u00f3n permite a los atacantes con privilegios de usuario b\u00e1sicos almacenar un payload Javascript en el servidor, que podr\u00eda ejecutarse posteriormente en el navegador web de la v\u00edctima. Con esto, el atacante podr\u00eda leer o modificar informaci\u00f3n asociada a la p\u00e1gina web vulnerable."
}
],
"id": "CVE-2025-0054",
"lastModified": "2025-02-18T18:15:28.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "cna@sap.com",
"type": "Secondary"
}
]
},
"published": "2025-02-11T01:15:09.650",
"references": [
{
"source": "cna@sap.com",
"url": "https://me.sap.com/notes/3526203"
},
{
"source": "cna@sap.com",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "cna@sap.com",
"type": "Primary"
}
]
}
WID-SEC-W-2025-0307
Vulnerability from csaf_certbund - Published: 2025-02-10 23:00 - Updated: 2025-02-10 23:00Summary
SAP Patchday Februar 2025: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
SAP stellt unternehmensweite Lösungen für Geschäftsprozesse wie Buchführung, Vertrieb, Einkauf und Lagerhaltung zur Verfügung.
Angriff
Ein Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um erhöhte Berechtigungen zu erlangen, Sicherheitsmaßnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuführen, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "SAP stellt unternehmensweite L\u00f6sungen f\u00fcr Gesch\u00e4ftsprozesse wie Buchf\u00fchrung, Vertrieb, Einkauf und Lagerhaltung zur Verf\u00fcgung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in der SAP-Software ausnutzen, um erh\u00f6hte Berechtigungen zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0307 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0307.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0307 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0307"
},
{
"category": "external",
"summary": "SAP Security Patch Day vom 2025-02-10",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
],
"source_lang": "en-US",
"title": "SAP Patchday Februar 2025: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-02-10T23:00:00.000+00:00",
"generator": {
"date": "2025-02-11T10:06:06.082+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2025-0307",
"initial_release_date": "2025-02-10T23:00:00.000+00:00",
"revision_history": [
{
"date": "2025-02-10T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "SAP Software",
"product": {
"name": "SAP Software",
"product_id": "T040977",
"product_identification_helper": {
"cpe": "cpe:/a:sap:sap:-"
}
}
}
],
"category": "vendor",
"name": "SAP"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-24527",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2023-24527"
},
{
"cve": "CVE-2024-22126",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-22126"
},
{
"cve": "CVE-2024-38819",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-38819"
},
{
"cve": "CVE-2024-38820",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-38820"
},
{
"cve": "CVE-2024-38828",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-38828"
},
{
"cve": "CVE-2024-45216",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-45216"
},
{
"cve": "CVE-2024-45217",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2024-45217"
},
{
"cve": "CVE-2025-0054",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-0054"
},
{
"cve": "CVE-2025-0064",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-0064"
},
{
"cve": "CVE-2025-23187",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-23187"
},
{
"cve": "CVE-2025-23189",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-23189"
},
{
"cve": "CVE-2025-23190",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-23190"
},
{
"cve": "CVE-2025-23191",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-23191"
},
{
"cve": "CVE-2025-23193",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-23193"
},
{
"cve": "CVE-2025-24867",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24867"
},
{
"cve": "CVE-2025-24868",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24868"
},
{
"cve": "CVE-2025-24869",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24869"
},
{
"cve": "CVE-2025-24870",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24870"
},
{
"cve": "CVE-2025-24872",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24872"
},
{
"cve": "CVE-2025-24874",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24874"
},
{
"cve": "CVE-2025-24875",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24875"
},
{
"cve": "CVE-2025-24876",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-24876"
},
{
"cve": "CVE-2025-25241",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-25241"
},
{
"cve": "CVE-2025-25243",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in SAP-Software. Diese Schwachstellen bestehen in verschiedenen Komponenten wie NetWeaver, BusinessObjects Business Intelligence oder Enterprise Project Connection, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie Path-Traversal-Probleme, fehlende Berechtigungspr\u00fcfungen oder eine unsachgem\u00e4\u00dfe Eingabevalidierung und mehr. Ein Angreifer kann diese Schwachstellen ausnutzen, um erweiterte Rechte zu erlangen, Sicherheitsma\u00dfnahmen zu umgehen, Cross-Site-Scripting- und Spoofing-Angriffe durchzuf\u00fchren, Daten zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen. Einige dieser Schwachstellen erfordern eine Benutzerinteraktion oder ein bestimmtes Ma\u00df an Berechtigungen, um erfolgreich ausgenutzt zu werden."
}
],
"product_status": {
"known_affected": [
"T040977"
]
},
"release_date": "2025-02-10T23:00:00.000+00:00",
"title": "CVE-2025-25243"
}
]
}
GHSA-JJQ7-XC67-VRV3
Vulnerability from github – Published: 2025-02-11 03:30 – Updated: 2025-02-11 03:30
VLAI?
Details
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.
Severity ?
5.4 (Medium)
{
"affected": [],
"aliases": [
"CVE-2025-0054"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T01:15:09Z",
"severity": "MODERATE"
},
"details": "SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim\u0027s web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.",
"id": "GHSA-jjq7-xc67-vrv3",
"modified": "2025-02-11T03:30:54Z",
"published": "2025-02-11T03:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0054"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3526203"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
NCSC-2025-0045
Vulnerability from csaf_ncscnl - Published: 2025-02-11 09:08 - Updated: 2025-02-11 09:08Summary
Kwetsbaarheden verholpen in SAP producten
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
SAP heeft kwetsbaarheden verholpen in onder andere SAP NetWeaver, BusinessObjects Business Intelligence platform, Enterprise Project Connection en Commerce.
Interpretaties
De kwetsbaarheden in SAP NetWeaver omvatten een gebrek aan toegangscontrole, wat ongeauthenticeerde aanvallers in staat stelt om toegang te krijgen tot gevoelige serverinstellingen en gegevens. Daarnaast zijn er Cross-Site Scripting kwetsbaarheden in SAP producten die de vertrouwelijkheid van gegevens ernstig kunnen aantasten. De kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, wat kan leiden tot datalekken en andere beveiligingsincidenten.
Oplossingen
SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CWE-1188
Initialization of a Resource with an Insecure Default
CWE-178
Improper Handling of Case Sensitivity
CWE-732
Incorrect Permission Assignment for Critical Resource
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-204
Observable Response Discrepancy
CWE-404
Improper Resource Shutdown or Release
CWE-306
Missing Authentication for Critical Function
CWE-862
Missing Authorization
CWE-352
Cross-Site Request Forgery (CSRF)
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-287
Improper Authentication
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "SAP heeft kwetsbaarheden verholpen in onder andere SAP NetWeaver, BusinessObjects Business Intelligence platform, Enterprise Project Connection en Commerce.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden in SAP NetWeaver omvatten een gebrek aan toegangscontrole, wat ongeauthenticeerde aanvallers in staat stelt om toegang te krijgen tot gevoelige serverinstellingen en gegevens. Daarnaast zijn er Cross-Site Scripting kwetsbaarheden in SAP producten die de vertrouwelijkheid van gegevens ernstig kunnen aantasten. De kwetsbaarheden kunnen worden misbruikt door aanvallers om ongeautoriseerde toegang te verkrijgen tot gevoelige informatie, wat kan leiden tot datalekken en andere beveiligingsincidenten.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "SAP heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Storage of Sensitive Data in a Mechanism without Access Control",
"title": "CWE-921"
},
{
"category": "general",
"text": "Improper Restriction of Rendered UI Layers or Frames",
"title": "CWE-1021"
},
{
"category": "general",
"text": "Initialization of a Resource with an Insecure Default",
"title": "CWE-1188"
},
{
"category": "general",
"text": "Improper Handling of Case Sensitivity",
"title": "CWE-178"
},
{
"category": "general",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"title": "CWE-644"
},
{
"category": "general",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "general",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - ncscclear",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html"
}
],
"title": "Kwetsbaarheden verholpen in SAP producten",
"tracking": {
"current_release_date": "2025-02-11T09:08:48.427126Z",
"id": "NCSC-2025-0045",
"initial_release_date": "2025-02-11T09:08:48.427126Z",
"revision_history": [
{
"date": "2025-02-11T09:08:48.427126Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "supplier_relationship_management",
"product": {
"name": "supplier_relationship_management",
"product_id": "CSAFPID-1760711",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:supplier_relationship_management:7.52:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver",
"product": {
"name": "netweaver",
"product_id": "CSAFPID-16504",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver:application_server_java:7.50:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_server_abap",
"product": {
"name": "netweaver_server_abap",
"product_id": "CSAFPID-1760738",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_server_abap:758:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_java_application_server",
"product": {
"name": "netweaver_java_application_server",
"product_id": "CSAFPID-406035",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_java_application_server:7.5:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_as_java",
"product": {
"name": "netweaver_as_java",
"product_id": "CSAFPID-837776",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_as_java:7.50:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_application_server_java",
"product": {
"name": "netweaver_application_server_java",
"product_id": "CSAFPID-1760739",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "netweaver_as_java_for_deploy_service",
"product": {
"name": "netweaver_as_java_for_deploy_service",
"product_id": "CSAFPID-1759878",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:netweaver_as_java_for_deploy_service:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "abap_platform",
"product": {
"name": "abap_platform",
"product_id": "CSAFPID-340940",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:abap_platform:758:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "commerce_backoffice",
"product": {
"name": "commerce_backoffice",
"product_id": "CSAFPID-1760724",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:commerce_backoffice:*:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "commerce",
"product": {
"name": "commerce",
"product_id": "CSAFPID-234320",
"product_identification_helper": {
"cpe": "cpe:2.3:a:sap:commerce:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "sap"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-24527",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-24527",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-24527.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2023-24527"
},
{
"cve": "CVE-2024-22126",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22126",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22126.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.0"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-22126"
},
{
"cve": "CVE-2024-38819",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38819",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38819.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38819"
},
{
"cve": "CVE-2024-38820",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "other",
"text": "Improper Handling of Case Sensitivity",
"title": "CWE-178"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38820",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38820.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38820"
},
{
"cve": "CVE-2024-38828",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-38828",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38828.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-38828"
},
{
"cve": "CVE-2024-45216",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "other",
"text": "Improper Authentication",
"title": "CWE-287"
},
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45216",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45216.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-45216"
},
{
"cve": "CVE-2024-45217",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"notes": [
{
"category": "other",
"text": "Initialization of a Resource with an Insecure Default",
"title": "CWE-1188"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-45217",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45217.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2024-45217"
},
{
"cve": "CVE-2025-0054",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-0054",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0054.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-0054"
},
{
"cve": "CVE-2025-0064",
"cwe": {
"id": "CWE-732",
"name": "Incorrect Permission Assignment for Critical Resource"
},
"notes": [
{
"category": "other",
"text": "Incorrect Permission Assignment for Critical Resource",
"title": "CWE-732"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-0064",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-0064.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-0064"
},
{
"cve": "CVE-2025-23187",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23187",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23187.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23187"
},
{
"cve": "CVE-2025-23189",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23189",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23189.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23189"
},
{
"cve": "CVE-2025-23190",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23190",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23190.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23190"
},
{
"cve": "CVE-2025-23191",
"cwe": {
"id": "CWE-644",
"name": "Improper Neutralization of HTTP Headers for Scripting Syntax"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"title": "CWE-644"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23191",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23191.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23191"
},
{
"cve": "CVE-2025-23193",
"cwe": {
"id": "CWE-204",
"name": "Observable Response Discrepancy"
},
"notes": [
{
"category": "other",
"text": "Observable Response Discrepancy",
"title": "CWE-204"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-23193",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-23193.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-23193"
},
{
"cve": "CVE-2025-24867",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"title": "CWE-79"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24867",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24867.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24867"
},
{
"cve": "CVE-2025-24868",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24868",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24868.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24868"
},
{
"cve": "CVE-2025-24869",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24869",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24869.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24869"
},
{
"cve": "CVE-2025-24870",
"cwe": {
"id": "CWE-921",
"name": "Storage of Sensitive Data in a Mechanism without Access Control"
},
"notes": [
{
"category": "other",
"text": "Storage of Sensitive Data in a Mechanism without Access Control",
"title": "CWE-921"
},
{
"category": "general",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24870",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24870.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.0,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24870"
},
{
"cve": "CVE-2025-24872",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "other",
"text": "Incorrect Authorization",
"title": "CWE-863"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24872",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24872.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24872"
},
{
"cve": "CVE-2025-24874",
"cwe": {
"id": "CWE-1021",
"name": "Improper Restriction of Rendered UI Layers or Frames"
},
"notes": [
{
"category": "other",
"text": "Improper Restriction of Rendered UI Layers or Frames",
"title": "CWE-1021"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24874",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24874.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24874"
},
{
"cve": "CVE-2025-24875",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"notes": [
{
"category": "other",
"text": "Cross-Site Request Forgery (CSRF)",
"title": "CWE-352"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24875",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24875.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24875"
},
{
"cve": "CVE-2025-24876",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-24876",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24876.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-24876"
},
{
"cve": "CVE-2025-25241",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"notes": [
{
"category": "other",
"text": "Missing Authorization",
"title": "CWE-862"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25241",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25241.json"
}
],
"title": "CVE-2025-25241"
},
{
"cve": "CVE-2025-25243",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-25243",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-25243.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1760711",
"CSAFPID-16504",
"CSAFPID-1760738",
"CSAFPID-406035",
"CSAFPID-837776",
"CSAFPID-1760739",
"CSAFPID-1759878",
"CSAFPID-340940",
"CSAFPID-1760724",
"CSAFPID-234320"
]
}
],
"title": "CVE-2025-25243"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…