Vulnerability-Lookup

CVE-2025-26654 (GCVE-0-2025-26654)

Vulnerability from cvelistv5 – Published: 2025-04-08 07:13 – Updated: 2025-04-09 04:00

Title

Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)

Summary

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

Severity ?

6.8 (Medium)


                        
                          CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

Assigner

sap

References

URL

	Vendor	Product	Version
	SAP_SE	SAP Commerce Cloud (Public Cloud)	Affected: COM_CLOUD 2211

CVE-2025-26654

Vulnerability from fstec - Published: 08.04.2025

Title

Уязвимость платформы электронной коммерции SAP Commerce Cloud, связанная с передачей критичной информации открытым текстом, позволяющая нарушителю раскрыть защищаемую информацию

Description

Уязвимость платформы электронной коммерции SAP Commerce Cloud связана с передачей критичной информации открытым текстом. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, раскрыть защищаемую информацию

Severity ?


                    
                      AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor

SAP

Software Name

SAP Commerce Cloud

Software Version

COM_CLOUD 2211 (SAP Commerce Cloud)

Possible Mitigations

Использование рекомендаций производителя: https://url.sap/sapsecuritypatchday

Reference

https://me.sap.com/notes/3543274 https://url.sap/sapsecuritypatchday

CWE

CWE-319

JSON

To clipboard

{
  "CVSS 2.0": "AV:A/AC:H/Au:N/C:C/I:C/A:N",
  "CVSS 3.0": "AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "SAP",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "COM_CLOUD 2211 (SAP Commerce Cloud)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://url.sap/sapsecuritypatchday",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "08.04.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.04.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "23.04.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-04846",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2025-26654",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "SAP Commerce Cloud",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043a\u043e\u043c\u043c\u0435\u0440\u0446\u0438\u0438 SAP Commerce Cloud, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0435\u0439 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0442\u0435\u043a\u0441\u0442\u043e\u043c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041f\u0435\u0440\u0435\u0434\u0430\u0447\u0430 \u0441\u0435\u043a\u0440\u0435\u0442\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0432 \u0432\u0438\u0434\u0435 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u0433\u043e \u0442\u0435\u043a\u0441\u0442\u0430 (CWE-319)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043a\u043e\u043c\u043c\u0435\u0440\u0446\u0438\u0438 SAP Commerce Cloud \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0435\u0439 \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0442\u0435\u043a\u0441\u0442\u043e\u043c. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://me.sap.com/notes/3543274\t\nhttps://url.sap/sapsecuritypatchday",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-319",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,2)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,8)"
}

GHSA-GJ2R-XJ7G-VP59

Vulnerability from github – Published: 2025-04-08 09:31 – Updated: 2025-04-08 09:31

Details

Severity ?

6.8 (Medium)


                  
                    CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-26654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T08:15:15Z",
    "severity": "MODERATE"
  },
  "details": "SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.",
  "id": "GHSA-gj2r-xj7g-vp59",
  "modified": "2025-04-08T09:31:10Z",
  "published": "2025-04-08T09:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26654"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3543274"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CERTFR-2025-AVI-0285

Vulnerability from certfr_avis - Published: 2025-04-08 - Updated: 2025-04-25

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

L'éditeur indique que la vulnérabilité CVE-2025-31324 est activement exploitée.

Impacted products

Vendor	Product	Description
SAP	S/4HANA (Private Cloud)	S/4HANA (Learning Solution) versions S4HCMGXX 100 et 101 sans le dernier correctif de sécurité
SAP	NetWeaver Application Server pour ABAP	NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93 et 9.14 sans le dernier correctif de sécurité
SAP	SAP BusinessObjects Business Intelligence	BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de sécurité
SAP	NetWeaver Application Server pour ABAP	NetWeaver Application Server ABAP (Virus Scan Interface) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de sécurité
SAP	NetWeaver et ABAP	NetWeaver et ABAP Platform (Service Data Collection) versions ST-PI 2008_1_700, 2008_1_710 et 740 sans le dernier correctif de sécurité
SAP	NetWeaver Application Server pour ABAP	NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de sécurité
SAP	S4CORE entity	S4CORE entity versions S4CORE 107 et 108 sans le dernier correctif de sécurité
SAP	Commerce Cloud	Commerce Cloud versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	ERP BW Business Content	ERP BW Business Content versions BI_CONT 707, 737, 747 et 757 sans le dernier correctif de sécurité
SAP	Commerce Cloud	Commerce Cloud (Public Cloud) version COM_CLOUD 2211 sans le dernier correctif de sécurité
SAP	N/A	Field Logistics versions S4CORE 107 et 108 sans le dernier correctif
SAP	NetWeaver Application Server pour ABAP	NetWeaver Application Server ABAP versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89 et 7.93 sans le dernier correctif de sécurité
SAP	NetWeaver et ABAP	NetWeaver (Visual Composer development server) versions VCFRAMEWORK 7.50 sans le dernier correctif de sécurité
SAP	NetWeaver et ABAP	NetWeaver et ABAP Platform (Application Server ABAP) versions KRNL64UC 7.53, KERNEL 7.53 et 7.54 sans le dernier correctif de sécurité
SAP	Solution Manager	Solution Manager versions ST 720, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de sécurité
SAP	Capital Yield Tax Management	Capital Yield Tax Management versions CYTERP 420_700, CYT 800, IBS 7.0 et CYT4HANA 100 sans le dernier correctif de sécurité
SAP	SAP BusinessObjects Business Intelligence	BusinessObjects Business Intelligence Platform version ENTERPRISE 430 sans le dernier correctif de sécurité
SAP	S/4HANA (Private Cloud)	S/4HANA (Private Cloud) versions S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de sécurité
SAP	CRM	CRM et S/4HANA (Interaction Center) versions S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de sécurité
SAP	KMC WPC	KMC WPC version KMC-WPC 7.50 sans le dernier correctif de sécurité
SAP	Landscape Transformation	Landscape Transformation (Analysis Platform) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730 et 2011_1_731 sans le dernier correctif de sécurité

References

Title

Publication Time

Tags

Bulletin de sécurité SAP april-2025	2025-04-08	vendor-advisory
FAQ sur l'exploitation de la vulnérabilité CVE-2025-31324	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "S/4HANA (Learning Solution) versions S4HCMGXX 100 et 101 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "S/4HANA (Private Cloud)",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP (applications based on GUI for HTML) versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93 et 9.14 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver Application Server pour ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence platform (Central Management Console) versions ENTERPRISE 430 et 2025 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP (Virus Scan Interface) versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver Application Server pour ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver et ABAP Platform (Service Data Collection) versions ST-PI 2008_1_700, 2008_1_710 et 740 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver et ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver versions SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H et 75I sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver Application Server pour ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S4CORE entity versions S4CORE 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "S4CORE entity",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce Cloud versions HY_COM 2205 et COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Commerce Cloud",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "ERP BW Business Content versions BI_CONT 707, 737, 747 et 757 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "ERP BW Business Content",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Commerce Cloud (Public Cloud) version COM_CLOUD 2211 sans le dernier correctif de s\u00e9curit\u00e9\n",
      "product": {
        "name": "Commerce Cloud",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Field Logistics versions S4CORE 107 et 108 sans le dernier correctif",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89 et 7.93 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver Application Server pour ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver (Visual Composer development server) versions VCFRAMEWORK 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver et ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver et ABAP Platform (Application Server ABAP) versions KRNL64UC 7.53, KERNEL 7.53 et 7.54 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "NetWeaver et ABAP",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Solution Manager versions ST 720, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 et SAP_BASIS 914 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Solution Manager",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Capital Yield Tax Management versions CYTERP 420_700, CYT 800, IBS 7.0 et CYT4HANA 100 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Capital Yield Tax Management",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence Platform version ENTERPRISE 430 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "SAP BusinessObjects Business Intelligence",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA (Private Cloud) versions S4CORE 102, 103, 104, 105, 106, 107 et 108 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "S/4HANA (Private Cloud)",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "CRM et S/4HANA (Interaction Center) versions S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800 et 801 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "CRM",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "KMC WPC version KMC-WPC 7.50 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "KMC WPC",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Landscape Transformation (Analysis Platform) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730 et 2011_1_731 sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "Landscape Transformation",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "L\u0027\u00e9diteur indique que la vuln\u00e9rabilit\u00e9 CVE-2025-31324 est activement exploit\u00e9e.",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-30015",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30015"
    },
    {
      "name": "CVE-2025-31333",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31333"
    },
    {
      "name": "CVE-2025-27429",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27429"
    },
    {
      "name": "CVE-2025-27428",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27428"
    },
    {
      "name": "CVE-2025-0064",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0064"
    },
    {
      "name": "CVE-2025-23186",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23186"
    },
    {
      "name": "CVE-2025-27435",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27435"
    },
    {
      "name": "CVE-2025-26654",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26654"
    },
    {
      "name": "CVE-2025-26653",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26653"
    },
    {
      "name": "CVE-2025-31324",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31324"
    },
    {
      "name": "CVE-2025-30014",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30014"
    },
    {
      "name": "CVE-2024-56337",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-56337"
    },
    {
      "name": "CVE-2025-27437",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27437"
    },
    {
      "name": "CVE-2025-30016",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30016"
    },
    {
      "name": "CVE-2025-31332",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31332"
    },
    {
      "name": "CVE-2025-26657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26657"
    },
    {
      "name": "CVE-2025-31328",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31328"
    },
    {
      "name": "CVE-2025-30013",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30013"
    },
    {
      "name": "CVE-2025-30017",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30017"
    },
    {
      "name": "CVE-2025-27430",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-27430"
    },
    {
      "name": "CVE-2025-31331",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31331"
    },
    {
      "name": "CVE-2025-31330",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31330"
    },
    {
      "name": "CVE-2025-31327",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31327"
    }
  ],
  "initial_release_date": "2025-04-08T00:00:00",
  "last_revision_date": "2025-04-25T00:00:00",
  "links": [
    {
      "title": "FAQ sur l\u0027exploitation de la vuln\u00e9rabilit\u00e9 CVE-2025-31324",
      "url": "https://me.sap.com/notes/3596125"
    }
  ],
  "reference": "CERTFR-2025-AVI-0285",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-04-08T00:00:00.000000"
    },
    {
      "description": "Ajout des vuln\u00e9rabilit\u00e9s CVE-2025-31324, CVE-2025-31328 et CVE-2025-31327",
      "revision_date": "2025-04-25T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2025-04-08",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP april-2025",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html"
    }
  ]
}

FKIE_CVE-2025-26654

Vulnerability from fkie_nvd - Published: 2025-04-08 08:15 - Updated: 2025-04-08 18:13

Severity ?

6.8 (Medium) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	cna@sap.com	https://me.sap.com/notes/3543274
	cna@sap.com	https://url.sap/sapsecuritypatchday

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect."
    },
    {
      "lang": "es",
      "value": "SAP Commerce Cloud (Nube P\u00fablica) no permite deshabilitar por completo el protocolo HTTP sin cifrar (puerto 80), sino que permite una redirecci\u00f3n del puerto 80 al 443 (HTTPS). Como resultado, Commerce normalmente se comunica de forma segura mediante HTTPS. Sin embargo, la confidencialidad e integridad de los datos enviados en la primera solicitud antes de la redirecci\u00f3n pueden verse afectadas si el cliente est\u00e1 configurado para usar HTTP y env\u00eda datos confidenciales en la primera solicitud antes de la redirecci\u00f3n."
    }
  ],
  "id": "CVE-2025-26654",
  "lastModified": "2025-04-08T18:13:53.347",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.2,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-04-08T08:15:15.903",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3543274"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-319"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2025-07505

Vulnerability from cnvd - Published: 2025-04-15

Title

SAP Commerce Cloud信息泄露漏洞（CNVD-2025-07505）

Description

SAP Commerce Cloud是德国思爱普（SAP）公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。 SAP Commerce Cloud存在信息泄露漏洞，攻击者可利用该漏洞提交特殊的请求，获取敏感信息。

Severity

中

Patch Name

SAP Commerce Cloud信息泄露漏洞（CNVD-2025-07505）的补丁

Patch Description

SAP Commerce Cloud是德国思爱普（SAP）公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。 SAP Commerce Cloud存在信息泄露漏洞，攻击者可利用该漏洞提交特殊的请求，获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网: https://me.sap.com/notes/3543274

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-26654

Impacted products

Name
SAP Commerce Cloud

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-26654",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-26654"
    }
  },
  "description": "SAP Commerce Cloud\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u4e91\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\u8be5\u4ea7\u652f\u6301\u9500\u552e\u7ba1\u7406\u3001\u8425\u9500\u7ba1\u7406\u3001\u8ba2\u5355\u7ba1\u7406\u548c\u8fd0\u8425\u7ba1\u7406\u7b49\u3002\n\nSAP Commerce Cloud\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51:\r\nhttps://me.sap.com/notes/3543274",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-07505",
  "openTime": "2025-04-15",
  "patchDescription": "SAP Commerce Cloud\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8e\u4e91\u7684\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002\u8be5\u4ea7\u652f\u6301\u9500\u552e\u7ba1\u7406\u3001\u8425\u9500\u7ba1\u7406\u3001\u8ba2\u5355\u7ba1\u7406\u548c\u8fd0\u8425\u7ba1\u7406\u7b49\u3002\r\n\r\nSAP Commerce Cloud\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Commerce Cloud\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2025-07505\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "SAP Commerce Cloud"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-26654",
  "serverity": "\u4e2d",
  "submitTime": "2025-04-14",
  "title": "SAP Commerce Cloud\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2025-07505\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-26654 (GCVE-0-2025-26654)

CVE-2025-26654

GHSA-GJ2R-XJ7G-VP59

CERTFR-2025-AVI-0285

Solutions

FKIE_CVE-2025-26654

CNVD-2025-07505

Tags

Sightings

Nomenclature