CVSS: 8.5EPSS: 0%CPEs: 13EXPL: 0CVE-2025-42976 – Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)
https://notcve.org/view.php?id=CVE-2025-42976
12 Aug 2025 — SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There ... • https://me.sap.com/notes/3611184 • CWE-125: Out-of-bounds Read •
CVSS: 6.4EPSS: 0%CPEs: 13EXPL: 0CVE-2025-42975 – Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)
https://notcve.org/view.php?id=CVE-2025-42975
12 Aug 2025 — SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client without affecting availability. SAP NetWeaver Application Server ABAP (Documento BIC) permite a un atacante no autenticado manipular un enlace URL que, al acce... • https://me.sap.com/notes/3611184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-42948 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42948
12 Aug 2025 — Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When this malicious content gets executed, the attacker could gain the ability to access/modify information within the scope of victim�s browser. Debido a una vulnerabilidad... • https://me.sap.com/notes/3629871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-42945 – HTML Injection vulnerability in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-42945
12 Aug 2025 — SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability. SAP NetWeaver Application Server ABAP presenta una vulnerabilidad de inyección HTML. • https://me.sap.com/notes/3585491 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.1EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42935 – Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager)
https://notcve.org/view.php?id=CVE-2025-42935
12 Aug 2025 — The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability. SAP NetWeaver Application Server ABAP y ABAP Platform Internet Communication Manager (ICM) permite a los usuarios autorizados con privilegios de administrad... • https://me.sap.com/notes/3601480 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42986 – Missing Authorization check in SAP NetWeaver and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42986
08 Jul 2025 — Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. • https://me.sap.com/notes/3626440 • CWE-862: Missing Authorization •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42978 – Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
https://notcve.org/view.php?id=CVE-2025-42978
08 Jul 2025 — The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted. • https://me.sap.com/notes/3557179 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42974 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-42974
08 Jul 2025 — Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. • https://me.sap.com/notes/3610056 • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42968 – Missing Authorization check in SAP NetWeaver (RFC enabled function module)
https://notcve.org/view.php?id=CVE-2025-42968
08 Jul 2025 — SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. • https://me.sap.com/notes/3621037 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42963 – Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
https://notcve.org/view.php?id=CVE-2025-42963
08 Jul 2025 — A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. • https://me.sap.com/notes/3621771 • CWE-502: Deserialization of Untrusted Data •