Skip to main content

CVE-2025-43006: CWE-79: Improper Neutralization of Input During Web Page Generation in SAP_SE SAP Supplier Relationship Management (Master Data Management Catalog)

Medium
VulnerabilityCVE-2025-43006cvecve-2025-43006cwe-79
Published: Tue May 13 2025 (05/13/2025, 00:19:01 UTC)
Source: CVE
Vendor/Project: SAP_SE
Product: SAP Supplier Relationship Management (Master Data Management Catalog)

Description

SAP Supplier Relationship Management (Master Data Management Catalogue) allows an unauthenticated attacker to execute malicious scripts in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.

AI-Powered Analysis

AILast updated: 07/12/2025, 01:48:56 UTC

Technical Analysis

CVE-2025-43006 is a medium-severity vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), affecting SAP Supplier Relationship Management (SRM) Master Data Management Catalog version 7.52. This vulnerability allows an unauthenticated attacker to inject and execute malicious scripts within the affected web application, resulting in a Cross-Site Scripting (XSS) attack. The vulnerability arises due to insufficient input sanitization or encoding when generating web pages, enabling attackers to craft payloads that execute in the context of the victim's browser. Exploitation does not require authentication but does require user interaction, such as clicking a malicious link or visiting a compromised page. The CVSS v3.1 base score is 6.1, reflecting a network attack vector, low attack complexity, no privileges required, user interaction needed, and a scope change. The impact primarily affects confidentiality and integrity by potentially exposing sensitive information or enabling session hijacking, but it does not affect availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is specific to the SRM MDM Catalog component, which is used for managing supplier master data within SAP environments, often integrated into broader enterprise resource planning (ERP) systems.

Potential Impact

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of supplier-related data managed within SAP SRM environments. Attackers exploiting this XSS flaw could steal session tokens, perform unauthorized actions on behalf of users, or manipulate displayed data, potentially leading to data leakage or fraudulent transactions. Although availability is not impacted, the breach of trust and data integrity could disrupt supplier relationships and compliance with data protection regulations such as GDPR. Given the critical role of supplier management in procurement and supply chain operations, exploitation could indirectly affect business continuity and operational efficiency. The risk is heightened in sectors with stringent regulatory requirements and high-value supply chains, such as manufacturing, automotive, pharmaceuticals, and financial services prevalent across Europe.

Mitigation Recommendations

European organizations using SAP SRM MDM Catalog 7.52 should implement the following specific mitigations: 1) Monitor SAP Security Notes and apply official patches or updates as soon as they become available to remediate the vulnerability. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the affected SAP component. 3) Conduct thorough input validation and output encoding on all user-controllable inputs within the SAP SRM environment, especially those related to master data catalog interfaces, to prevent script injection. 4) Educate users about the risks of clicking untrusted links and implement Content Security Policy (CSP) headers to restrict script execution sources. 5) Regularly audit SAP SRM logs for suspicious activities indicative of XSS exploitation attempts. 6) Limit exposure by restricting access to the SAP SRM MDM Catalog interface to trusted networks or VPNs, reducing the attack surface. 7) Integrate SAP security scanning tools into the development and deployment lifecycle to identify similar vulnerabilities proactively.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-04-16T13:25:53.589Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9815c4522896dcbd6529

Added to database: 5/21/2025, 9:08:37 AM

Last enriched: 7/12/2025, 1:48:56 AM

Last updated: 8/1/2025, 1:50:13 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats