CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31333 – Odata meta-data tampering in SAP S4CORE entity
https://notcve.org/view.php?id=CVE-2025-31333
08 Apr 2025 — SAP S4CORE OData meta-data property is vulnerable to data tampering, due to which entity set could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability is not impacted. La propiedad de metadatos OData de SAP S4CORE es vulnerable a la manipulación de datos, por lo que un atacante podría modificar externamente el conjunto de entidades, lo que tendría un impacto mínimo en la integridad de la aplicación. La confidencialidad y la disponibilida... • https://me.sap.com/notes/3525971 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31332 – Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-31332
08 Apr 2025 — Due to insecure file permissions in SAP BusinessObjects Business Intelligence Platform, an attacker who has local access to the system could modify files potentially disrupting operations or cause service downtime hence leading to a high impact on integrity and availability. However, this vulnerability does not disclose any sensitive data. Debido a la falta de seguridad en los permisos de archivo de SAP BusinessObjects Business Intelligence Platform, un atacante con acceso local al sistema podría modificar ... • https://me.sap.com/notes/3565751 • CWE-277: Insecure Inherited Permissions •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2025-31331 – Authorization Bypass vulnerability in SAP NetWeaver
https://notcve.org/view.php?id=CVE-2025-31331
08 Apr 2025 — SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality. SAP NetWeaver permite a un atacante eludir las comprobaciones de autorización, lo que le permite ver fragmentos de código ABAP que normalmente requerirían va... • https://me.sap.com/notes/3577131 • CWE-863: Incorrect Authorization •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30017 – Missing Authorization check in SAP Solution Manager
https://notcve.org/view.php?id=CVE-2025-30017
08 Apr 2025 — Due to a missing authorization check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application. Debido a la falta de una verificación de autorización, un atacante autenticado podría cargar un archivo como plantilla para la documentación de la solución en SAP Solution Manager 7.1. Tras una explotación exitosa, un atacante puede ten... • https://me.sap.com/notes/3558864 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30016 – Authentication Bypass Vulnerability in SAP Financial Consolidation
https://notcve.org/view.php?id=CVE-2025-30016
08 Apr 2025 — SAP Financial Consolidation allows an unauthenticated attacker to gain unauthorized access to the Admin account. The vulnerability arises due to improper authentication mechanisms, due to which there is high impact on the Confidentiality, Integrity & Availability of the application. SAP Financial Consolidation permite que un atacante no autenticado obtenga acceso no autorizado a la cuenta de administrador. La vulnerabilidad surge debido a mecanismos de autenticación inadecuados, lo que afecta gravemente la ... • https://me.sap.com/notes/3572688 • CWE-921: Storage of Sensitive Data in a Mechanism without Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30015 – Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
https://notcve.org/view.php?id=CVE-2025-30015
08 Apr 2025 — Due to incorrect memory address handling in ABAP SQL of SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker with high privileges could execute certain forms of SQL queries leading to manipulation of content in the output variable. This vulnerability has a low impact on the confidentiality, integrity and the availability of the application. Debido a la gestión incorrecta de direcciones de memoria en ABAP SQL de SAP NetWeaver y la plataforma ABAP (Servidor de Aplicaciones ABAP... • https://me.sap.com/notes/3565944 • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30014 – Directory Traversal vulnerability in SAP Capital Yield Tax Management
https://notcve.org/view.php?id=CVE-2025-30014
08 Apr 2025 — SAP Capital Yield Tax Management has directory traversal vulnerability due to insufficient path validation. This could allow an attacker with low privileges to read files from directory which they don�t have access to, hence causing a high impact on confidentiality. Integrity and Availability are not affected. SAP Capital Yield Tax Management presenta una vulnerabilidad de directory traversal debido a una validación de ruta insuficiente. Esto podría permitir que un atacante con pocos privilegios lea archivo... • https://me.sap.com/notes/2927164 • CWE-35: Path Traversal: '.../ •
CVSS: 6.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-30013 – Code Injection vulnerability in SAP ERP BW Business Content
https://notcve.org/view.php?id=CVE-2025-30013
08 Apr 2025 — SAP ERP BW Business Content is vulnerable to OS Command Injection through certain function modules. These function modules, when executed with elevated privileges, improperly handle user input, allowing attacker to inject arbitrary OS commands. This vulnerability allows the execution of unintended commands on the underlying system, posing a significant security risk to the confidentiality, integrity and availability of the application. SAP ERP BW Business Content es vulnerable a la inyección de comandos del... • https://me.sap.com/notes/3571093 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27428 – Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)
https://notcve.org/view.php?id=CVE-2025-27428
08 Apr 2025 — Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability. Debido a una vulnerabilidad de directory traversal, un atacante autorizado podría acceder a información crítica mediante un módulo de función habilitado para R... • https://me.sap.com/notes/3581811 • CWE-862: Missing Authorization •