CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23187 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-23187
11 Feb 2025 — Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability. • https://me.sap.com/notes/3546470 • CWE-862: Missing Authorization •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0064 – Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)
https://notcve.org/view.php?id=CVE-2025-0064
11 Feb 2025 — Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability. • https://me.sap.com/notes/3525794 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.9EPSS: 0%CPEs: 12EXPL: 0CVE-2025-0070 – Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0070
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability. • https://me.sap.com/notes/3537476 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0069 – DLL Hijacking vulnerability in SAPSetup
https://notcve.org/view.php?id=CVE-2025-0069
14 Jan 2025 — Due to DLL injection vulnerability in SAPSetup, an attacker with either local user privileges or with access to a compromised corporate user�s Windows account could gain higher privileges. With this, he could move laterally within the network and further compromise the active directory of a company. This leads to high impact on confidentiality, integrity and availability of the Windows server. • https://me.sap.com/notes/3542533 • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0061 – Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-0061
14 Jan 2025 — SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application. • https://me.sap.com/notes/3474398 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0060 – Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-0060
14 Jan 2025 — SAP BusinessObjects Business Intelligence Platform allows an authenticated user with restricted access to inject malicious JS code which can read sensitive information from the server and send it to the attacker. The attacker could further use this information to impersonate as a high privileged user causing high impact on confidentiality and integrity of the application. • https://me.sap.com/notes/3474398 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.0EPSS: 0%CPEs: 7EXPL: 0CVE-2025-0059 – Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
https://notcve.org/view.php?id=CVE-2025-0059
14 Jan 2025 — Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. • https://me.sap.com/notes/3503138 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0057 – Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
https://notcve.org/view.php?id=CVE-2025-0057
14 Jan 2025 — SAP NetWeaver AS JAVA (User Admin Application) is vulnerable to stored cross site scripting vulnerability. An attacker posing as an admin can upload a photo with malicious JS content. When a victim visits the vulnerable component, the attacker can read and modify information within the scope of victim's web browser. • https://me.sap.com/notes/3514421 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0053 – Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-0053
14 Jan 2025 — SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker to gain unauthorized access to system information. By using a specific URL parameter, an unauthenticated attacker could retrieve details such as system configuration. This has a limited impact on the confidentiality of the application and may be leveraged to facilitate further attacks or exploits. • https://me.sap.com/notes/3536461 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-54198 – Information Disclosure vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2024-54198
10 Dec 2024 — In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application. • https://me.sap.com/notes/3469791 • CWE-914: Improper Control of Dynamically-Identified Variables •