CVE-2025-42910

Published: Oct 14, 2025Modified: Oct 14, 2025

9.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: CNA (Secondary)

Description

Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://me.sap.com/notes/3647332

Source: cna@sap.com

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

Timeline

No history available yet.