Primary

Context

SAP S/4HANA Supplier Invoice CRLF Injection Vulnerability

Vulnerability

A CRLF injection vulnerability has been identified in SAP S/4HANA Supplier Invoice. This issue allows an attacker with user-level privileges to bypass the allowlist and inject untrusted sites into the 'Trusted Sites' configuration by adding line feed characters into application inputs. The vulnerability impacts the application's integrity, but does not affect confidentiality or availability.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of the 'Trusted Sites' configuration, allowing the injection of untrusted sites.

Remediation

Users are advised to review and implement the SAP Security Note related to this vulnerability, available through the SAP Security Patch Day Bulletin.

Added: Aug 12, 2025, 3:58 AM

Updated: Aug 12, 2025, 3:58 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

SAP S/4HANA Supplier Invoice CRLF Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

SAP S/4HANA Supplier invoice

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating