Severity
High
Analysis Summary
CVE-2025-30009 CVSS:6.1
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victims browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victims browser, with no effect on availability of the application.
CVE-2025-30012 CVSS:3.9
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM stack to accept binary Java objects in specific encoding format. On successful exploitation, an authenticated attacker with high privileges could send malicious payload request and receive an outbound DNS request, resulting in deserialization of data in the application. This vulnerability has low impact on confidentiality, integrity and availability of the application.
CVE-2025-42997 CVSS:6.6
Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application. Due to the possibility of influencing application behavior or performance through misuse of the exposed data, this may potentially lead to low impact on confidentiality, integrity, and availability.
CVE-2025-26662 CVSS:4.4
The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victims browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted.
CVE-2025-30010 CVSS 6.1
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.
CVE-2025-30011 CVSS:5.3
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.
Impact
- Cross-Site Scripting
- Gain Access
Indicators of Compromise
CVE
CVE-2025-30009
CVE-2025-42997
CVE-2025-26662
CVE-2025-30010
CVE-2025-30011
CVE-2025-30012
Affected Vendors
Affected Products
- SAP Supplier Relationship Management
- SAP Data Services Management Console
Remediation
Refer to SAP Security Advisory for patch, upgrade, or suggested workaround information.(Login Required)