CVSS: 8.5EPSS: 0%CPEs: 13EXPL: 0CVE-2025-42976 – Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)
https://notcve.org/view.php?id=CVE-2025-42976
12 Aug 2025 — SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There ... • https://me.sap.com/notes/3611184 • CWE-125: Out-of-bounds Read •
CVSS: 6.4EPSS: 0%CPEs: 13EXPL: 0CVE-2025-42975 – Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)
https://notcve.org/view.php?id=CVE-2025-42975
12 Aug 2025 — SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client without affecting availability. SAP NetWeaver Application Server ABAP (Documento BIC) permite a un atacante no autenticado manipular un enlace URL que, al acce... • https://me.sap.com/notes/3611184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-42957 – Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-42957
12 Aug 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3627998 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-42948 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42948
12 Aug 2025 — Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When this malicious content gets executed, the attacker could gain the ability to access/modify information within the scope of victim�s browser. Debido a una vulnerabilidad... • https://me.sap.com/notes/3629871 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2025-42946 – Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)
https://notcve.org/view.php?id=CVE-2025-42946
12 Aug 2025 — Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorized access to sensitive operating system files. This could allow the attacker to potentially read or delete these files hence causing a high impact on confidentiality and low impact on integrity. There is no impact on availability of the system. Debido a una vulnerabilidad de directory tr... • https://me.sap.com/notes/3614804 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-42945 – HTML Injection vulnerability in SAP NetWeaver Application Server ABAP
https://notcve.org/view.php?id=CVE-2025-42945
12 Aug 2025 — SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability. SAP NetWeaver Application Server ABAP presenta una vulnerabilidad de inyección HTML. • https://me.sap.com/notes/3585491 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.1EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42935 – Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager)
https://notcve.org/view.php?id=CVE-2025-42935
12 Aug 2025 — The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability. SAP NetWeaver Application Server ABAP y ABAP Platform Internet Communication Manager (ICM) permite a los usuarios autorizados con privilegios de administrad... • https://me.sap.com/notes/3601480 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 0CVE-2025-42934 – CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice)
https://notcve.org/view.php?id=CVE-2025-42934
12 Aug 2025 — SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability. La factura de proveedor de SAP S/4HANA es vulnerable a la inyección de CRLF. Un atacante con privilegios de usuario puede eludir la lista d... • https://me.sap.com/notes/3616863 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42947 – Code Injection vulnerability in SAP FICA ODN framework
https://notcve.org/view.php?id=CVE-2025-42947
23 Jul 2025 — SAP FICA ODN framework allows a high privileged user to inject value inside the local variable which can then be executed by the application. An attacker could thereby control the behaviour of the application causing high impact on integrity, low impact on availability and no impact on confidentiality of the application. • https://me.sap.com/notes/3540688 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-43001 – Multiple Privilege Escalation Vulnerabilities in SAPCAR
https://notcve.org/view.php?id=CVE-2025-43001
08 Jul 2025 — SAPCAR allows an attacker logged in with high privileges to override the permissions of the current and parent directories of the user or process extracting the archive, leading to privilege escalation. On successful exploitation, an attacker could modify the critical files by tampering with signed archives without breaking the signature, but it has a low impact on the confidentiality and availability of the system. • https://me.sap.com/notes/3595143 • CWE-266: Incorrect Privilege Assignment •