CVE-2025-30009 CVSS:6.1

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victims browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victims browser, with no effect on availability of the application.

CVE-2025-30012 CVSS:3.9

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM stack to accept binary Java objects in specific encoding format. On successful exploitation, an authenticated attacker with high privileges could send malicious payload request and receive an outbound DNS request, resulting in deserialization of data in the application. This vulnerability has low impact on confidentiality, integrity and availability of the application.

CVE-2025-42997 CVSS:6.6

Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application. Due to the possibility of influencing application behavior or performance through misuse of the exposed data, this may potentially lead to low impact on confidentiality, integrity, and availability.

CVE-2025-26662 CVSS:4.4

The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victims browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted.

CVE-2025-30010 CVSS 6.1

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.

CVE-2025-30011 CVSS:5.3

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.