Sign-up

ID

VAR-202509-0625


CVE

CVE-2025-42920


DESCRIPTION

Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated victim clicks on the link, the injected input is processed during the page generation, resulting in the execution of malicious content. This execution allows the attacker to access and modify information within the victim's browser scope, impacting confidentiality and integrity, while availability remains unaffected.

Trust: 1.0

sources: NVD: CVE-2025-42920

AFFECTED PRODUCTS

vendor:sapmodel:supplier relationship managementscope:eqversion:7.0

Trust: 1.0

sources: NVD: CVE-2025-42920

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@sap.com: CVE-2025-42920
value: MEDIUM

Trust: 1.0

cna@sap.com: CVE-2025-42920
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

sources: NVD: CVE-2025-42920

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

sources: NVD: CVE-2025-42920

EXTERNAL IDS

db:NVDid:CVE-2025-42920

Trust: 1.0

sources: NVD: CVE-2025-42920

REFERENCES

url:https://me.sap.com/notes/3647098

Trust: 1.0

url:https://url.sap/sapsecuritypatchday

Trust: 1.0

sources: NVD: CVE-2025-42920

SOURCES

db:NVDid:CVE-2025-42920

LAST UPDATE DATE

2025-11-18T15:17:11.332000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2025-42920date:2025-10-24T14:50:48.223

SOURCES RELEASE DATE

db:NVDid:CVE-2025-42920date:2025-09-09T02:15:40.300