Cross-Site Request Forgery Vulnerability in SAP Learning Solution by SAP
CVE-2025-31328

4.6MEDIUM

Key Information:

Vendor: SAP
Status: SAP S/4 Hana (learning Solution)
Vendor: CVE Published:; 22 April 2025

What is CVE-2025-31328?

SAP Learning Solution is susceptible to a Cross-Site Request Forgery (CSRF) attack, where an attacker could exploit the vulnerability to deceive authenticated users into unintentionally issuing requests to the server. This situation arises from the naming convention of a GET-based OData function that does not align with its expected behavior. Such an exploit may compromise both the confidentiality and integrity of user data, while the system's availability remains unaffected.

Affected Version(s)

SAP S/4 HANA (Learning Solution) S4HCMGXX 100

SAP S/4 HANA (Learning Solution) 101

References

https://me.sap.com/notes/3446649

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 22, 2025
Vulnerability Reserved
Mar 27, 2025