CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-43007 – Missing Authorization check in SAP Service Parts Management (SPM)
https://notcve.org/view.php?id=CVE-2025-43007
13 May 2025 — SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application. • https://me.sap.com/notes/2719724 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2025-43003 – Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise)
https://notcve.org/view.php?id=CVE-2025-43003
13 May 2025 — SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application. • https://me.sap.com/notes/3596033 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-43002 – Missing Authorization check in SAP S4/HANA (OData meta-data property)
https://notcve.org/view.php?id=CVE-2025-43002
13 May 2025 — SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted. • https://me.sap.com/notes/3227940 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-43000 – Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW)
https://notcve.org/view.php?id=CVE-2025-43000
13 May 2025 — Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the application. • https://me.sap.com/notes/3586013 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 18%CPEs: 1EXPL: 0CVE-2025-42999 – SAP NetWeaver Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2025-42999
13 May 2025 — SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content... • https://me.sap.com/notes/3604119 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-42997 – Information Disclosure vulnerability in SAP Gateway Client
https://notcve.org/view.php?id=CVE-2025-42997
13 May 2025 — Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application. Due to the possibility of influencing application behavior or performance through misuse of the exposed data, this may potentially lead to low impact on confidentiality, integrity, and availability. • https://me.sap.com/notes/3577300 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26662 – Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console
https://notcve.org/view.php?id=CVE-2025-26662
13 May 2025 — The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. • https://me.sap.com/notes/3558755 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 66%CPEs: 1EXPL: 19CVE-2025-31324 – SAP NetWeaver Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-31324
24 Apr 2025 — SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. • https://github.com/rxerium/CVE-2025-31324 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31328 – Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution)
https://notcve.org/view.php?id=CVE-2025-31328
22 Apr 2025 — SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact both the confidentiality and integrity of the application without affecting the availability. SAP Learning Solution es vulnerable a Cross-Site Request Forgery (CSRF), lo que permite a un atacante engañar a un usuario autenticado para... • https://me.sap.com/notes/3446649 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31327 – OData meta-data property entity tampering in SAP Field Logistics
https://notcve.org/view.php?id=CVE-2025-31327
22 Apr 2025 — SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application. Confidentiality and availability are not impacted. La propiedad de metadatos OData de la aplicación SAP Field Logistics Manage Logistics es vulnerable a la manipulación de datos, por lo que ciertos campos podrían ser modificados externamente por un atacante, lo que tendría un impa... • https://me.sap.com/notes/3359825 • CWE-472: External Control of Assumed-Immutable Web Parameter •