CVE-2025-42920 — Cross-site Scripting in SE SAP Supplier Relationship Management

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.2%

top 58.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Supplier Relationship Management SAP Supplier Relationship Management

Timeline

PublishedSep 9

Description

Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDsap/supplier_relationship_management7.0

▶CVEListV5sap_se/sap_supplier_relationship_management5 versions+4

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management↗2025-09-09

▶

GHSA

GHSA-x2fx-g3ch-j487: Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious↗2025-09-09

▶