Supplier Relationship Management
by SAP
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-42910 | Cri | 0.59 | 9.0 | 0.00 | Oct 14, 2025 | Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful… | ||
| CVE-2025-25243 | Hig | 0.56 | 8.6 | 0.01 | Feb 11, 2025 | SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact… | ||
| CVE-2018-2449 | Hig | 0.56 | 8.6 | 0.02 | Aug 14, 2018 | SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying. | ||
| CVE-2026-0512 | Med | 0.40 | 6.1 | 0.00 | Apr 14, 2026 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's… | ||
| CVE-2025-43006 | Med | 0.40 | 6.1 | 0.00 | May 13, 2025 | SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the… | ||
| CVE-2026-0513 | 0.00 | — | 0.00 | Jan 13, 2026 | Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity… | |||
| CVE-2025-42920 | 0.00 | — | 0.00 | Sep 9, 2025 | Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the… | |||
| CVE-2025-30018 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high… | |||
| CVE-2025-30012 | 0.00 | — | 0.01 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which… | |||
| CVE-2025-30011 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version… | |||
| CVE-2025-30010 | 0.00 | — | 0.00 | May 13, 2025 | The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a… | |||
| CVE-2025-30009 | 0.00 | — | 0.00 | May 13, 2025 | he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on… | |||
| CVE-2023-39436 | 0.00 | — | 0.00 | Aug 8, 2023 | SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the… | |||
| CVE-2014-4161 | 0.00 | — | 0.01 | Jun 13, 2014 | Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||
| CVE-2014-4159 | 0.00 | — | 0.01 | Jun 13, 2014 | Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. |
- risk 0.59cvss 9.0epss 0.00
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful…
- risk 0.56cvss 8.6epss 0.01
SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact…
- risk 0.56cvss 8.6epss 0.02
SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.
- risk 0.40cvss 6.1epss 0.00
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's…
- risk 0.40cvss 6.1epss 0.00
SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the…
- CVE-2026-0513Jan 13, 2026risk 0.00cvss —epss 0.00
Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity…
- CVE-2025-42920Sep 9, 2025risk 0.00cvss —epss 0.00
Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the…
- CVE-2025-30018May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high…
- CVE-2025-30012May 13, 2025risk 0.00cvss —epss 0.01
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an unauthenticated attacker to send malicious payload request in a specific encoding format. The servlet will then decode this malicious request which…
- CVE-2025-30011May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version…
- CVE-2025-30010May 13, 2025risk 0.00cvss —epss 0.00
The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a…
- CVE-2025-30009May 13, 2025risk 0.00cvss —epss 0.00
he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on…
- CVE-2023-39436Aug 8, 2023risk 0.00cvss —epss 0.00
SAP Supplier Relationship Management -versions 600, 602, 603, 604, 605, 606, 616, 617, allows an unauthorized attacker to discover information relating to SRM within Vendor Master Data for Business Partners replication functionality.This information could be used to allow the…
- CVE-2014-4161Jun 13, 2014risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.
- CVE-2014-4159Jun 13, 2014risk 0.00cvss —epss 0.01
Open redirect vulnerability in in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.