CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42993 – Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
https://notcve.org/view.php?id=CVE-2025-42993
10 Jun 2025 — Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Inte... • https://me.sap.com/notes/3580384 • CWE-862: Missing Authorization •
CVSS: 3.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-42990 – HTML Injection in Unprotected SAPUI5 applications
https://notcve.org/view.php?id=CVE-2025-42990
10 Jun 2025 — Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker controlled URL. This issue could impact the integrity of the application. Confidentiality or Availability are not impacted. • https://me.sap.com/notes/3601169 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42989 – Missing Authorization check in SAP NetWeaver Application Server for ABAP
https://notcve.org/view.php?id=CVE-2025-42989
10 Jun 2025 — RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. • https://me.sap.com/notes/3600840 • CWE-862: Missing Authorization •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42988 – Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform
https://notcve.org/view.php?id=CVE-2025-42988
10 Jun 2025 — Under certain conditions, SAP Business Objects Business Intelligence Platform allows an unauthenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. This disclosure of information could further enable the researcher to cause SSRF. It has no impact on integrity and availability of the application. • https://me.sap.com/notes/3585545 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42987 – Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)
https://notcve.org/view.php?id=CVE-2025-42987
10 Jun 2025 — SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application. • https://me.sap.com/notes/3596850 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-42984 – Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
https://notcve.org/view.php?id=CVE-2025-42984
10 Jun 2025 — SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. This has low impact on confidentiality and availability of the application. • https://me.sap.com/notes/3441087 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 14EXPL: 0CVE-2025-42983 – Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
https://notcve.org/view.php?id=CVE-2025-42983
10 Jun 2025 — SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in a loss of data or rendering the system unusable. On successful exploitation, an attacker can completely delete database entries but is not able to read any data. • https://me.sap.com/notes/3606484 • CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42977 – Directory Traversal vulnerability in SAP NetWeaver Visual Composer
https://notcve.org/view.php?id=CVE-2025-42977
10 Jun 2025 — SAP NetWeaver Visual Composer contains a Directory Traversal vulnerability caused by insufficient validation of input paths provided by a high-privileged user. This allows an attacker to read or modify arbitrary files, resulting in a high impact on confidentiality and a low impact on integrity. • https://me.sap.com/notes/3610591 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23192 – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)
https://notcve.org/view.php?id=CVE-2025-23192
10 Jun 2025 — SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store malicious script within a workspace. When the victim accesses the workspace, the script will execute in their browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. This leads to a high impact on confidentiality and low impact on integrity, availability. • https://me.sap.com/notes/3560693 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 6EXPL: 0CVE-2025-43011 – Missing Authorization Check in SAP Landscape Transformation (PCL Basis)
https://notcve.org/view.php?id=CVE-2025-43011
13 May 2025 — Under certain conditions, SAP Landscape Transformation's PCL Basis module does not perform the necessary authorization checks, allowing authenticated users to access restricted functionalities or data. This can lead to a high impact on confidentiality with no impact on the integrity or availability of the application. • https://me.sap.com/notes/3591978 • CWE-862: Missing Authorization •