CVE-2025-42920
📋 TL;DR
This Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management allows unauthenticated attackers to create malicious links that, when clicked by authenticated users, execute arbitrary JavaScript in the victim's browser. This enables attackers to steal session cookies, modify page content, or perform actions on behalf of the victim. All organizations using vulnerable versions of SAP SRM are affected.
💻 Affected Systems
- SAP Supplier Relationship Management
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full access to SAP SRM system, modifies supplier data, approves fraudulent payments, and exfiltrates sensitive business information.
Likely Case
Attacker steals user session cookies to access the victim's SAP SRM account, views confidential supplier information, and potentially modifies purchase orders or supplier details.
If Mitigated
With proper input validation and output encoding, the malicious script payloads are neutralized, preventing execution while maintaining normal system functionality.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated users into clicking malicious links; no authentication bypass needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3647098 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3647098
Restart Required: No
Instructions:
1. Review SAP Note 3647098 for affected versions and patches. 2. Apply the relevant SAP Security Patch Day updates. 3. Test the patch in development environment before production deployment.
🔧 Temporary Workarounds
Implement Content Security Policy
allDeploy CSP headers to restrict script execution sources and prevent inline script execution
Input Validation and Output Encoding
allImplement server-side validation of all user inputs and proper output encoding for HTML contexts
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in URLs and parameters
- Educate users about phishing risks and implement URL filtering to block suspicious external links
🔍 How to Verify
Check if Vulnerable:
Check SAP system version against affected versions listed in SAP Note 3647098Check Version:
Use SAP transaction SM51 or check system info in SAP GUIVerify Fix Applied:
Verify patch installation via SAP transaction SPAM/SAINT and test with safe XSS payloads in test environment📡 Detection & Monitoring
Log Indicators:
- Unusual URL parameters containing script tags or JavaScript code in web server logs
- Multiple failed login attempts following suspicious URL access
Network Indicators:
- HTTP requests with suspicious parameters containing <script>, javascript:, or encoded payloads
SIEM Query:
web.url:*script* OR web.url:*javascript:* AND dest.app:"SAP SRM"