FKIE_CVE-2025-30009

Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-10-23 17:00
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application
References
cna@sap.comhttps://me.sap.com/notes/3578900Permissions Required
cna@sap.comhttps://url.sap/sapsecuritypatchdayNot Applicable
Impacted products
Vendor Product Version
sap supplier_relationship_management 7.14
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "C1A8BC33-96E4-4771-818D-92C1BB3F7E5C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim\ufffds browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim\ufffds browser, with no effect on availability of the application"
    },
    {
      "lang": "es",
      "value": "Live Auction Cockpit de SAP Supplier Relationship Management (SRM) utiliza un componente de applet de Java obsoleto dentro de los paquetes SRM afectados, lo que permite a un atacante no autenticado ejecutar un script malicioso en el navegador de la v\u00edctima. Esta vulnerabilidad tiene un impacto m\u00ednimo en la confidencialidad e integridad del navegador de la v\u00edctima, sin afectar la disponibilidad de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2025-30009",
  "lastModified": "2025-10-23T17:00:46.330",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-05-13T01:15:47.407",
  "references": [
    {
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://me.sap.com/notes/3578900"
    },
    {
      "source": "cna@sap.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.