CVE-2025-31328Cross-Site Request Forgery in SE SAP S 4 Hana

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
4.6MEDIUMNVD
EPSS
0.1%
top 81.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP S 4 Hana
Timeline
PublishedApr 22

Description

SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact both the confidentiality and integrity of the application without affecting the availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages1 packages

CVEListV5sap_se/sap_s_4_hana101, S4HCMGXX 100+1

🔴Vulnerability Details

2
GHSA
GHSA-q7h8-385m-x32m: SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended req2025-04-22
CVEList
Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution)2025-04-22
CVE-2025-31328 — Cross-Site Request Forgery | cvebase