CVE-2025-30018 — XML External Entity (XXE) Injection in SE SAP Supplier Relationship Management

CWE-611 — XML External Entity (XXE) Injection3 documents3 sources

Severity

7.5HIGHNVD

CNA8.6

EPSS

0.4%

top 41.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Supplier Relationship Management SAP Supplier Relationship Management

Timeline

PublishedMay 13

Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsap/supplier_relationship_management7.14

▶CVEListV5sap_se/sap_supplier_relationship_managementSRM_SERVER 7.14

🔴Vulnerability Details

GHSA

GHSA-wwrf-457v-6cqw: The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request wit↗2025-05-13

▶

CVEList

Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)↗2025-05-13

▶