CVE-2025-31328

{"id": "CVE-2025-31328", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2025-04-22T19:15:52.570", "references": [{"url": "https://me.sap.com/notes/3446649", "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "cna@sap.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server. GET-based OData function is named in a way that it violates the expected behaviour. This issue could impact both the confidentiality and integrity of the application without affecting the availability."}, {"lang": "es", "value": "SAP Learning Solution es vulnerable a Cross-Site Request Forgery (CSRF), lo que permite a un atacante enga\u00f1ar a un usuario autenticado para que env\u00ede solicitudes no deseadas al servidor. La funci\u00f3n OData basada en GET tiene un nombre que viola el comportamiento esperado. Este problema podr\u00eda afectar tanto la confidencialidad como la integridad de la aplicaci\u00f3n sin afectar la disponibilidad."}], "lastModified": "2025-04-23T14:08:13.383", "sourceIdentifier": "cna@sap.com"}