CVE-2025-30010

The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://me.sap.com/notes/3578900	Permissions Required
https://url.sap/sapsecuritypatchday	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:sap:supplier_relationship_management:7.14:*:*:*:*:*:*:*

History

23 Oct 2025, 16:57

Type	Values Removed	Values Added
First Time		Sap supplier Relationship Management Sap
CPE		cpe:2.3:a:sap:supplier_relationship_management:7.14:::::::*
References	~~() https://me.sap.com/notes/3578900 -~~	() https://me.sap.com/notes/3578900 - Permissions Required
References	~~() https://url.sap/sapsecuritypatchday -~~	() https://url.sap/sapsecuritypatchday - Not Applicable

13 May 2025, 19:35

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-13 01:15

Updated : 2025-10-23 16:57

NVD link : CVE-2025-30010

Mitre link : CVE-2025-30010

CVE.ORG link : CVE-2025-30010

JSON object : View

Products Affected

sap

supplier_relationship_management

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

6.1 /10