CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-30018: Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

8.6 CVSS

Description

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application's confidentiality, with no effect on integrity and availability of the application.

Classification

CVE ID: CVE-2025-30018

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem Types

CWE-611: Improper Restriction of XML External Entity Reference

Affected Products

Vendor: SAP_SE

Product: SAP Supplier Relationship Management (Live Auction Cockpit)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.39% (scored less or equal to compared to others)

EPSS Date: 2025-06-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30018
https://me.sap.com/notes/3578900
https://url.sap/sapsecuritypatchday

Timeline

2025-05-13 15:40:21 UTC
CVE

Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)