Sap Se Sap Supplier Relationship Management vulnerabilities

CVE-2026-0512 [MEDIUM] CWE-79 CVE-2026-0512: Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impactin

CVE-2026-0513 [MEDIUM] CWE-601 CVE-2026-0513: Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM C Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted.

CVE-2025-42910 [CRITICAL] CWE-434 CVE-2025-42910: Due to missing verification of file type or content, SAP Supplier Relationship Management allows an Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, in

CVE-2025-42920 [MEDIUM] CWE-79 CVE-2025-42920: Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an un Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This exe

CVE-2025-30012 [CRITICAL] CWE-502 CVE-2025-30012: The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which will result in deserialization of data in the application leading to exec

CVE-2025-30018 [HIGH] CWE-611 CVE-2025-30018: The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated att The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and

CVE-2025-30011 [MEDIUM] CWE-497 CVE-2025-30011: The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confid

CVE-2025-30010 [MEDIUM] CWE-601 CVE-2025-30010: The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact

CVE-2025-30009 [MEDIUM] CWE-79 CVE-2025-30009: he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with n

CVE-2025-43006 [MEDIUM] CWE-79 CVE-2025-43006: SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated at SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity

CVE-2025-25243 [HIGH] CWE-22 CVE-2025-25243: SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated atta SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact to integrity or availability.

CVE-2023-39436 [MEDIUM] CWE-306 CVE-2023-39436: SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an una SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the attacker to specialize their attacks against SRM.

CVE-2019-0361 [MEDIUM] CWE-79 CVE-2019-0361: SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions SAP Supplier Relationship Management (Master Data Management Catalog - SRM_MDM_CAT, before versions 3.73, 7.31, 7.32) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.