CVSS: 6.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-42947 – Code Injection vulnerability in SAP FICA ODN framework
https://notcve.org/view.php?id=CVE-2025-42947
23 Jul 2025 — SAP FICA ODN framework allows a high privileged user to inject value inside the local variable which can then be executed by the application. An attacker could thereby control the behaviour of the application causing high impact on integrity, low impact on availability and no impact on confidentiality of the application. • https://me.sap.com/notes/3540688 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-43001 – Multiple Privilege Escalation Vulnerabilities in SAPCAR
https://notcve.org/view.php?id=CVE-2025-43001
08 Jul 2025 — SAPCAR allows an attacker logged in with high privileges to override the permissions of the current and parent directories of the user or process extracting the archive, leading to privilege escalation. On successful exploitation, an attacker could modify the critical files by tampering with signed archives without breaking the signature, but it has a low impact on the confidentiality and availability of the system. • https://me.sap.com/notes/3595143 • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42992 – Multiple Privilege Escalation Vulnerabilities in SAPCAR
https://notcve.org/view.php?id=CVE-2025-42992
08 Jul 2025 — SAPCAR allows an attacker logged in with high privileges to create a malicious SAR archive in SAPCAR. This could enable the attacker to exploit critical files and directory permissions without breaking signature validation, resulting in potential privilege escalation. This has high impact on integrity, but low impact on confidentiality and availability of the system. • https://me.sap.com/notes/3595143 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42986 – Missing Authorization check in SAP NetWeaver and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42986
08 Jul 2025 — Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. • https://me.sap.com/notes/3626440 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42985 – Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench
https://notcve.org/view.php?id=CVE-2025-42985
08 Jul 2025 — Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact on confidentiality and integrity, with no impact on application availability. • https://me.sap.com/notes/3617380 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42978 – Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
https://notcve.org/view.php?id=CVE-2025-42978
08 Jul 2025 — The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted. • https://me.sap.com/notes/3557179 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42974 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-42974
08 Jul 2025 — Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. • https://me.sap.com/notes/3610056 • CWE-862: Missing Authorization •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42971 – Memory Corruption vulnerability in SAPCAR
https://notcve.org/view.php?id=CVE-2025-42971
08 Jul 2025 — A memory corruption vulnerability exists in SAPCAR allowing an attacker to craft malicious SAPCAR archives. When a high privileged victim extracts this malicious archive, it gets processed by SAPCAR on their system, resulting in out-of-bounds memory read and write. This could lead to file extraction and file overwrite outside the intended directories. This vulnerability has low impact on the confidentiality, integrity and availability of the application. • https://me.sap.com/notes/3595141 • CWE-787: Out-of-bounds Write •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42970 – Directory Traversal vulnerability in SAPCAR
https://notcve.org/view.php?id=CVE-2025-42970
08 Jul 2025 — SAPCAR improperly sanitizes the file paths while extracting SAPCAR archives. Due to this, an attacker could craft a malicious SAPCAR archive containing directory traversal sequences. When a high privileged victim extracts this malicious archive, it is then processed by SAPCAR on their system, causing files to be extracted outside the intended directory and overwriting files in arbitrary locations. This vulnerability has a high impact on the integrity and availability of the application with no impact on con... • https://me.sap.com/notes/3595156 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42968 – Missing Authorization check in SAP NetWeaver (RFC enabled function module)
https://notcve.org/view.php?id=CVE-2025-42968
08 Jul 2025 — SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. • https://me.sap.com/notes/3621037 • CWE-862: Missing Authorization •