fkie_cve-2025-42934
Vulnerability from fkie_nvd
Published
2025-08-12 03:15
Modified
2025-08-12 14:25
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability.
References
cna@sap.comhttps://me.sap.com/notes/3616863
cna@sap.comhttps://url.sap/sapsecuritypatchday
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the \u0027Trusted Sites\u0027 configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application\u0027s integrity and no impact on confidentiality or availability."
    },
    {
      "lang": "es",
      "value": "La factura de proveedor de SAP S/4HANA es vulnerable a la inyecci\u00f3n de CRLF. Un atacante con privilegios de usuario puede eludir la lista de permitidos e insertar sitios no confiables en la configuraci\u00f3n de \"Trusted Sites\" inyectando caracteres de salto de l\u00ednea (LF) en las entradas de la aplicaci\u00f3n. Esta vulnerabilidad tiene un impacto m\u00ednimo en la integridad de la aplicaci\u00f3n y no afecta la confidencialidad ni la disponibilidad."
    }
  ],
  "id": "CVE-2025-42934",
  "lastModified": "2025-08-12T14:25:33.177",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "cna@sap.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-08-12T03:15:25.317",
  "references": [
    {
      "source": "cna@sap.com",
      "url": "https://me.sap.com/notes/3616863"
    },
    {
      "source": "cna@sap.com",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "sourceIdentifier": "cna@sap.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-113"
        }
      ],
      "source": "cna@sap.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.