CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42965 – Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application
https://notcve.org/view.php?id=CVE-2025-42965
08 Jul 2025 — SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application. • https://me.sap.com/notes/3598118 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42963 – Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
https://notcve.org/view.php?id=CVE-2025-42963
08 Jul 2025 — A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. • https://me.sap.com/notes/3621771 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2025-42962 – Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation)
https://notcve.org/view.php?id=CVE-2025-42962
08 Jul 2025 — SAP Business Warehouse (Business Explorer Web) allows an attacker to create a malicious link. If an authenticated user clicks on this link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. • https://me.sap.com/notes/3604212 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42960 – Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools
https://notcve.org/view.php?id=CVE-2025-42960
08 Jul 2025 — SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact on the confidentiality and availability of the application. • https://me.sap.com/notes/3608991 • CWE-862: Missing Authorization •
CVSS: 3.3EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42954 – Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application)
https://notcve.org/view.php?id=CVE-2025-42954
08 Jul 2025 — SAP NetWeaver Business Warehouse CCAW application allows a privileged attacker to cause a high CPU load by executing a RFC enabled function modules without any input parameters, which results in reduced performance or interrupted operation of the affected resource. This leads to low impact on availability of the application, there is no impact on confidentiality and integrity. • https://me.sap.com/notes/3608156 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.7EPSS: 0%CPEs: 14EXPL: 0CVE-2025-42952 – Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
https://notcve.org/view.php?id=CVE-2025-42952
08 Jul 2025 — SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted. • https://me.sap.com/notes/3623255 • CWE-862: Missing Authorization •
CVSS: 4.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-31326 – HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
https://notcve.org/view.php?id=CVE-2025-31326
08 Jul 2025 — SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected. • https://me.sap.com/notes/3573199 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42993 – Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
https://notcve.org/view.php?id=CVE-2025-42993
10 Jun 2025 — Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Inte... • https://me.sap.com/notes/3580384 • CWE-862: Missing Authorization •
CVSS: 3.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-42990 – HTML Injection in Unprotected SAPUI5 applications
https://notcve.org/view.php?id=CVE-2025-42990
10 Jun 2025 — Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted. • https://me.sap.com/notes/3601169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42989 – Missing Authorization check in SAP NetWeaver Application Server for ABAP
https://notcve.org/view.php?id=CVE-2025-42989
10 Jun 2025 — RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. • https://me.sap.com/notes/3600840 • CWE-862: Missing Authorization •