Cross-Site Scripting Vulnerability in SAP Supplier Relationship Management
CVE-2025-42920

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Supplier Relationship Management
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-42920?

A Cross-Site Scripting (XSS) vulnerability has been identified in SAP Supplier Relationship Management, enabling unauthenticated attackers to create malicious links that, when accessed by an authenticated user, inject harmful scripts into the web application. This exploitation allows attackers to manipulate content within the victim's browser session, leading to unauthorized data access and compromise of sensitive information. While the availability of the service remains intact, the integrity and confidentiality of user data are at risk, necessitating immediate attention and patching to protect against such threats.

Affected Version(s)

SAP Supplier Relationship Management SRM_SERVER 700

SAP Supplier Relationship Management 701

SAP Supplier Relationship Management 702

References

https://me.sap.com/notes/3647098

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Apr 16, 2025