Vulnerability-Lookup

CVE-2025-43008 (GCVE-0-2025-43008)

Vulnerability from cvelistv5 – Published: 2025-05-13 00:19 – Updated: 2025-05-13 13:57

Title

Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Summary

Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/3585992
	https://url.sap/sapsecuritypatchday

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal	Affected: S4HCMCPT 100 Affected: 101 Affected: SAP_HRCPT 600 Affected: 604 Affected: 608

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43008",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T13:57:02.705374Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T13:57:09.498Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "S4HCMCPT 100"
            },
            {
              "status": "affected",
              "version": "101"
            },
            {
              "status": "affected",
              "version": "SAP_HRCPT 600"
            },
            {
              "status": "affected",
              "version": "604"
            },
            {
              "status": "affected",
              "version": "608"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDue to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.\u003c/p\u003e"
            }
          ],
          "value": "Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T00:19:30.248Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/3585992"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2025-43008",
    "datePublished": "2025-05-13T00:19:30.248Z",
    "dateReserved": "2025-04-16T13:25:53.589Z",
    "dateUpdated": "2025-05-13T13:57:09.498Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-43008\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-13T13:57:02.705374Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-13T13:57:06.690Z\"}}], \"cna\": {\"title\": \"Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SAP_SE\", \"product\": \"SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal\", \"versions\": [{\"status\": \"affected\", \"version\": \"S4HCMCPT 100\"}, {\"status\": \"affected\", \"version\": \"101\"}, {\"status\": \"affected\", \"version\": \"SAP_HRCPT 600\"}, {\"status\": \"affected\", \"version\": \"604\"}, {\"status\": \"affected\", \"version\": \"608\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://me.sap.com/notes/3585992\"}, {\"url\": \"https://url.sap/sapsecuritypatchday\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDue to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"eng\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"shortName\": \"sap\", \"dateUpdated\": \"2025-05-13T00:19:30.248Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-43008\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-13T13:57:09.498Z\", \"dateReserved\": \"2025-04-16T13:25:53.589Z\", \"assignerOrgId\": \"e4686d1a-f260-4930-ac4c-2f5c992778dd\", \"datePublished\": \"2025-05-13T00:19:30.248Z\", \"assignerShortName\": \"sap\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2025-11406

Vulnerability from cnvd - Published: 2025-06-03

Title

SAP ERP HCM和SAP S/4HANA授权问题漏洞

Description

SAP ERP HCM和SAP S/4HANA都是德国思爱普（SAP）公司的产品。SAP ERP HCM是一套企业人力资源管理解决方案。SAP S/4HANA是一个基于SAP HANA内存数据库系统的的企业资源管理软件。 SAP ERP HCM和SAP S/4HANA存在授权问题漏洞，该漏洞源于缺少授权检查，攻击者可利用该漏洞导致员工个人信息泄露。

Severity

中

Patch Name

SAP ERP HCM和SAP S/4HANA授权问题漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html

Reference

https://me.sap.com/notes/3585992

Impacted products

Name
['SAP ERP HCM', 'SAP S/4HANA']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-43008",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-43008"
    }
  },
  "description": "SAP ERP HCM\u548cSAP S/4HANA\u90fd\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002SAP ERP HCM\u662f\u4e00\u5957\u4f01\u4e1a\u4eba\u529b\u8d44\u6e90\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002SAP S/4HANA\u662f\u4e00\u4e2a\u57fa\u4e8eSAP HANA\u5185\u5b58\u6570\u636e\u5e93\u7cfb\u7edf\u7684\u7684\u4f01\u4e1a\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002\n\nSAP ERP HCM\u548cSAP S/4HANA\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5458\u5de5\u4e2a\u4eba\u4fe1\u606f\u6cc4\u9732\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-11406",
  "openTime": "2025-06-03",
  "patchDescription": "SAP ERP HCM\u548cSAP S/4HANA\u90fd\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002SAP ERP HCM\u662f\u4e00\u5957\u4f01\u4e1a\u4eba\u529b\u8d44\u6e90\u7ba1\u7406\u89e3\u51b3\u65b9\u6848\u3002SAP S/4HANA\u662f\u4e00\u4e2a\u57fa\u4e8eSAP HANA\u5185\u5b58\u6570\u636e\u5e93\u7cfb\u7edf\u7684\u7684\u4f01\u4e1a\u8d44\u6e90\u7ba1\u7406\u8f6f\u4ef6\u3002\r\n\r\nSAP ERP HCM\u548cSAP S/4HANA\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5458\u5de5\u4e2a\u4eba\u4fe1\u606f\u6cc4\u9732\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP ERP HCM\u548cSAP S/4HANA\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP ERP HCM",
      "SAP S/4HANA"
    ]
  },
  "referenceLink": "https://me.sap.com/notes/3585992",
  "serverity": "\u4e2d",
  "submitTime": "2025-05-28",
  "title": "SAP ERP HCM\u548cSAP S/4HANA\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

GHSA-XVX6-286H-35QM

Vulnerability from github – Published: 2025-05-13 03:31 – Updated: 2025-05-13 03:31

Details

Severity ?

5.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2025-43008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-13T01:15:49Z",
    "severity": "MODERATE"
  },
  "details": "Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.",
  "id": "GHSA-xvx6-286h-35qm",
  "modified": "2025-05-13T03:31:14Z",
  "published": "2025-05-13T03:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43008"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3585992"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CERTFR-2025-AVI-0396

Vulnerability from certfr_avis - Published: 2025-05-13 - Updated: 2025-06-12

De multiples vulnérabilités ont été découvertes dans les produits SAP. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
SAP	S/4HANA	S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608
SAP	N/A	Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102
SAP	NetWeaver	NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50
SAP	N/A	Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52
SAP	Business Objects Business Intelligence Platform	BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025
SAP	N/A	Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027
SAP	NetWeaver Application Server ABAP et ABAP Platform	NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758
SAP	N/A	Data Services Management Console version SBOP DS JOB SERVER 4.3
SAP	N/A	Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0
SAP	N/A	Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758
SAP	S/4HANA	S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106
SAP	S/4HANA	S/4HANA (Private Cloud & On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714
SAP	S/4HANA	S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714
SAP	N/A	Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758
SAP	N/A	Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14
SAP	N/A	Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103
SAP	N/A	PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108
SAP	N/A	Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108
SAP	N/A	GUI for Windows version BC-FES-GUI 8.00

References

Title

Publication Time

Tags

Bulletin de sécurité SAP may-2025

2025-05-13

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "S/4HANA HCM Portugal and SAP ERP HCM Portugal versions S4HCMCPT 100, 101, SAP_HRCPT 600, 604 et 608",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Service Parts Management (SPM) versions SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101 et 102",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver (Visual Composer development server) version VCFRAMEWORK 7.50",
      "product": {
        "name": "NetWeaver",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Supplier Relationship Management (Master Data Management Catalog) version SRM_MDM_CAT 7.52",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "BusinessObjects Business Intelligence Platform versions ENTERPRISE 420, 430 et 2025",
      "product": {
        "name": "Business Objects Business Intelligence Platform",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Business Objects Business Intelligence Platform (PMW) versions ENTERPRISE 430, 2025 et 2027",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "NetWeaver Application Server ABAP et ABAP Platform versions SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757 et SAP_BASIS 758",
      "product": {
        "name": "NetWeaver Application Server ABAP et ABAP Platform",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Data Services Management Console version SBOP DS JOB SERVER 4.3",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Digital Manufacturing (Production Operator Dashboard) version CTNR-DME-PODFOUNDATION-MS 1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Fiori for SAP ERP versions SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757 et 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S4/HANA (OData meta-data property) versions S4CORE 102, 103, 104, 105 et 106",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA (Private Cloud \u0026 On-Premise) versions S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) versions S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713 et 714",
      "product": {
        "name": "S/4HANA",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Gateway Client versions SAP_GWFND 752, 753, 754, 755, 756, 757 et 758",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Supplier Relationship Management (Live Auction Cockpit) version SRM_SERVER 7.14",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Service Parts Management (SPM) versions SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102 et 103",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "PDCE versions S4CORE 102, 103, S4COREOP 104, 105, 106, 107 et 108",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "Landscape Transformation (PCL Basis) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107 et 108",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    },
    {
      "description": "GUI for Windows version BC-FES-GUI 8.00",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SAP",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-43003",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43003"
    },
    {
      "name": "CVE-2025-43007",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43007"
    },
    {
      "name": "CVE-2025-23191",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-23191"
    },
    {
      "name": "CVE-2025-42999",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-42999"
    },
    {
      "name": "CVE-2025-43009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43009"
    },
    {
      "name": "CVE-2025-43011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43011"
    },
    {
      "name": "CVE-2025-43006",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43006"
    },
    {
      "name": "CVE-2025-0060",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0060"
    },
    {
      "name": "CVE-2025-30012",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30012"
    },
    {
      "name": "CVE-2025-43000",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43000"
    },
    {
      "name": "CVE-2025-43004",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43004"
    },
    {
      "name": "CVE-2025-31324",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31324"
    },
    {
      "name": "CVE-2025-43005",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43005"
    },
    {
      "name": "CVE-2025-43008",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43008"
    },
    {
      "name": "CVE-2025-31329",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-31329"
    },
    {
      "name": "CVE-2025-30009",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30009"
    },
    {
      "name": "CVE-2025-30011",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30011"
    },
    {
      "name": "CVE-2025-43002",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43002"
    },
    {
      "name": "CVE-2025-26662",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-26662"
    },
    {
      "name": "CVE-2025-30010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30010"
    },
    {
      "name": "CVE-2025-42997",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-42997"
    },
    {
      "name": "CVE-2025-0061",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-0061"
    },
    {
      "name": "CVE-2025-43010",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-43010"
    },
    {
      "name": "CVE-2024-39592",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-39592"
    },
    {
      "name": "CVE-2025-30018",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-30018"
    }
  ],
  "initial_release_date": "2025-05-13T00:00:00",
  "last_revision_date": "2025-06-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0396",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-05-13T00:00:00.000000"
    },
    {
      "description": "Ajout des identifiants CVE CVE-2025-0060, CVE-2025-0061 et CVE-2025-23191",
      "revision_date": "2025-06-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits SAP. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SAP",
  "vendor_advisories": [
    {
      "published_at": "2025-05-13",
      "title": "Bulletin de s\u00e9curit\u00e9 SAP may-2025",
      "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html"
    }
  ]
}

FKIE_CVE-2025-43008

Vulnerability from fkie_nvd - Published: 2025-05-13 01:15 - Updated: 2025-05-13 19:35

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N

Summary

References

	URL	Tags
	cna@sap.com	https://me.sap.com/notes/3585992
	cna@sap.com	https://url.sap/sapsecuritypatchday

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability."
    },
    {
      "lang": "es",
      "value": "Debido a la falta de verificaci\u00f3n de autorizaci\u00f3n, un usuario no autorizado puede acceder a los archivos de otra empresa. Esto podr\u00eda conllevar la divulgaci\u00f3n de datos personales de los empleados. Esto no afecta la integridad ni la disponibilidad."
    }
  ],
  "id": "CVE-2025-43008",
  "lastModified": "2025-05-13T19:35:18.080",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 4.0,
        "source": "cna@sap.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-13T01:15:49.600",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3585992"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "cna@sap.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-43008 (GCVE-0-2025-43008)

CNVD-2025-11406

GHSA-XVX6-286H-35QM

CERTFR-2025-AVI-0396

Solutions

FKIE_CVE-2025-43008

Tags

Sightings

Nomenclature