Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for s\/4_hana by sap

    CVE-2026-0498 (GCVE-0-2026-0498)

    Vulnerability from nvd – Published: 2026-01-13 01:13 – Updated: 2026-02-26 15:04
    VLAI
    Title
    Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)
    Summary
    SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Private Cloud and On-Premise) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-14T04:57:10.297243Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T15:04:49.230Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Private Cloud and On-Premise)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.\u003c/p\u003e"
                }
              ],
              "value": "SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-13T01:13:41.371Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3694242"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-0498",
        "datePublished": "2026-01-13T01:13:41.371Z",
        "dateReserved": "2025-12-09T22:06:39.790Z",
        "dateUpdated": "2026-02-26T15:04:49.230Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45282 (GCVE-0-2024-45282)

    Vulnerability from nvd – Published: 2024-10-08 03:21 – Updated: 2024-10-09 14:54
    VLAI
    Title
    HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
    Summary
    Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-650 - Trusting HTTP Permission Methods on the Server Side
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4 HANA (Manage Bank Statements) Affected: S4CORE
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45282",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T14:54:01.568870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T14:54:13.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4 HANA (Manage Bank Statements)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eFields which are in \u0027read only\u0027 state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.\u003c/p\u003e"
                }
              ],
              "value": "Fields which are in \u0027read only\u0027 state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-650",
                  "description": "CWE-650: Trusting HTTP Permission Methods on the Server Side",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-08T03:21:33.330Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3251893"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-45282",
        "datePublished": "2024-10-08T03:21:33.330Z",
        "dateReserved": "2024-08-26T10:39:20.932Z",
        "dateUpdated": "2024-10-09T14:54:13.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-34691 (GCVE-0-2024-34691)

    Vulnerability from nvd – Published: 2024-06-11 02:22 – Updated: 2024-08-02 02:59
    VLAI
    Title
    Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
    Summary
    Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Manage Incoming Payment Files) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Create a notification for this product.
    sap s4hana Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
        cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "s4hana",
                "vendor": "sap",
                "versions": [
                  {
                    "status": "affected",
                    "version": "102"
                  },
                  {
                    "status": "affected",
                    "version": "103"
                  },
                  {
                    "status": "affected",
                    "version": "104"
                  },
                  {
                    "status": "affected",
                    "version": "105"
                  },
                  {
                    "status": "affected",
                    "version": "106"
                  },
                  {
                    "status": "affected",
                    "version": "107"
                  },
                  {
                    "status": "affected",
                    "version": "108"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-34691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T14:10:07.910208Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T19:55:18.143Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:59:22.219Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3466175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Manage Incoming Payment Files)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.\n\n\n\n"
                }
              ],
              "value": "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-11T02:22:24.435Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3466175"
            },
            {
              "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-34691",
        "datePublished": "2024-06-11T02:22:24.435Z",
        "dateReserved": "2024-05-07T05:46:11.658Z",
        "dateUpdated": "2024-08-02T02:59:22.219Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41369 (GCVE-0-2023-41369)

    Vulnerability from nvd – Published: 2023-09-12 01:59 – Updated: 2024-09-25 15:33
    VLAI
    Title
    External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
    Summary
    The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Create Single Payment application) Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:01:34.245Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3369680"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T15:11:16.316030Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T15:33:02.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Create Single Payment application)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\u003c/p\u003e"
                }
              ],
              "value": "The Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T01:59:03.570Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3369680"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-41369",
        "datePublished": "2023-09-12T01:59:03.570Z",
        "dateReserved": "2023-08-29T05:27:56.301Z",
        "dateUpdated": "2024-09-25T15:33:02.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41368 (GCVE-0-2023-41368)

    Vulnerability from nvd – Published: 2023-09-12 01:59 – Updated: 2024-09-26 16:04
    VLAI
    Title
    Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)
    Summary
    The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE S4 HANA ABAP (Manage checkbook apps) Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:01:35.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3355675"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T16:02:46.199952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T16:04:32.037Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "S4 HANA ABAP (Manage checkbook apps)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\u003c/p\u003e"
                }
              ],
              "value": "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T01:59:39.205Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3355675"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-41368",
        "datePublished": "2023-09-12T01:59:39.205Z",
        "dateReserved": "2023-08-29T05:27:56.301Z",
        "dateUpdated": "2024-09-26T16:04:32.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26832 (GCVE-0-2020-26832)

    Vulnerability from nvd – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
    VLAI
    Summary
    SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
    CWE
    • Missing Authorization
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP NetWeaver AS ABAP (SAP Landscape Transformation) Affected: < 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S4 HANA (SAP Landscape Transformation) Affected: < 101
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:03:22.474Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2993132"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S4 HANA (SAP Landscape Transformation)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 101"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:20.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2993132"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-26832",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S4 HANA (SAP Landscape Transformation)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.6",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2993132",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2993132"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-26832",
        "datePublished": "2020-12-09T16:31:03.000Z",
        "dateReserved": "2020-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:03:22.474Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-6188 (GCVE-0-2020-6188)

    Vulnerability from nvd – Published: 2020-02-12 19:46 – Updated: 2024-08-04 08:55
    VLAI
    Summary
    VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP ERP (SAP_APPL) Affected: = 6.0
    Affected: = 6.02
    Affected: = 6.03
    Affected: = 6.04
    Affected: = 6.05
    Affected: = 6.06
    Affected: = 6.16
    Create a notification for this product.
    SAP SE SAP ERP (SAP_FIN) Affected: = 6.17
    Affected: = 6.18
    Affected: = 7.0
    Affected: = 7.20
    Affected: = 7.30
    Create a notification for this product.
    SAP SE SAP S/4 HANA (S4CORE) Affected: = 1.0
    Affected: = 1.01
    Affected: = 1.02
    Affected: = 1.03
    Affected: = 1.04
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:55:22.007Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2857511"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP ERP (SAP_APPL)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 6.0"
                },
                {
                  "status": "affected",
                  "version": "= 6.02"
                },
                {
                  "status": "affected",
                  "version": "= 6.03"
                },
                {
                  "status": "affected",
                  "version": "= 6.04"
                },
                {
                  "status": "affected",
                  "version": "= 6.05"
                },
                {
                  "status": "affected",
                  "version": "= 6.06"
                },
                {
                  "status": "affected",
                  "version": "= 6.16"
                }
              ]
            },
            {
              "product": "SAP ERP (SAP_FIN)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 6.17"
                },
                {
                  "status": "affected",
                  "version": "= 6.18"
                },
                {
                  "status": "affected",
                  "version": "= 7.0"
                },
                {
                  "status": "affected",
                  "version": "= 7.20"
                },
                {
                  "status": "affected",
                  "version": "= 7.30"
                }
              ]
            },
            {
              "product": "SAP S/4 HANA (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.01"
                },
                {
                  "status": "affected",
                  "version": "= 1.02"
                },
                {
                  "status": "affected",
                  "version": "= 1.03"
                },
                {
                  "status": "affected",
                  "version": "= 1.04"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-12T19:46:09.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2857511"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-6188",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP ERP (SAP_APPL)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "6.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.02"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.03"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.04"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.05"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.06"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.16"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP ERP (SAP_FIN)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "6.17"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.18"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.20"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.30"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4 HANA (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "1.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.01"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.02"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.03"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.04"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "6.3",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2857511",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2857511"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-6188",
        "datePublished": "2020-02-12T19:46:09.000Z",
        "dateReserved": "2020-01-08T00:00:00.000Z",
        "dateUpdated": "2024-08-04T08:55:22.007Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-0498 (GCVE-0-2026-0498)

    Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-02-26 15:04
    VLAI
    Title
    Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)
    Summary
    SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Private Cloud and On-Premise) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Affected: 109
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0498",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-14T04:57:10.297243Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T15:04:49.230Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Private Cloud and On-Premise)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                },
                {
                  "status": "affected",
                  "version": "109"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eSAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system.\u003c/p\u003e"
                }
              ],
              "value": "SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-13T01:13:41.371Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3694242"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2026-0498",
        "datePublished": "2026-01-13T01:13:41.371Z",
        "dateReserved": "2025-12-09T22:06:39.790Z",
        "dateUpdated": "2026-02-26T15:04:49.230Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-45282 (GCVE-0-2024-45282)

    Vulnerability from cvelistv5 – Published: 2024-10-08 03:21 – Updated: 2024-10-09 14:54
    VLAI
    Title
    HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
    Summary
    Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-650 - Trusting HTTP Permission Methods on the Server Side
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4 HANA (Manage Bank Statements) Affected: S4CORE
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-45282",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-10-09T14:54:01.568870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-10-09T14:54:13.725Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4 HANA (Manage Bank Statements)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eFields which are in \u0027read only\u0027 state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.\u003c/p\u003e"
                }
              ],
              "value": "Fields which are in \u0027read only\u0027 state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-650",
                  "description": "CWE-650: Trusting HTTP Permission Methods on the Server Side",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-08T03:21:33.330Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3251893"
            },
            {
              "url": "https://url.sap/sapsecuritypatchday"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-45282",
        "datePublished": "2024-10-08T03:21:33.330Z",
        "dateReserved": "2024-08-26T10:39:20.932Z",
        "dateUpdated": "2024-10-09T14:54:13.725Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-34691 (GCVE-0-2024-34691)

    Vulnerability from cvelistv5 – Published: 2024-06-11 02:22 – Updated: 2024-08-02 02:59
    VLAI
    Title
    Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
    Summary
    Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Manage Incoming Payment Files) Affected: S4CORE 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Create a notification for this product.
    sap s4hana Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
        cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:sap:s4hana:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "s4hana",
                "vendor": "sap",
                "versions": [
                  {
                    "status": "affected",
                    "version": "102"
                  },
                  {
                    "status": "affected",
                    "version": "103"
                  },
                  {
                    "status": "affected",
                    "version": "104"
                  },
                  {
                    "status": "affected",
                    "version": "105"
                  },
                  {
                    "status": "affected",
                    "version": "106"
                  },
                  {
                    "status": "affected",
                    "version": "107"
                  },
                  {
                    "status": "affected",
                    "version": "108"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-34691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-11T14:10:07.910208Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-31T19:55:18.143Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T02:59:22.219Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3466175"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Manage Incoming Payment Files)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "S4CORE 102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.\n\n\n\n"
                }
              ],
              "value": "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-11T02:22:24.435Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3466175"
            },
            {
              "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2024-34691",
        "datePublished": "2024-06-11T02:22:24.435Z",
        "dateReserved": "2024-05-07T05:46:11.658Z",
        "dateUpdated": "2024-08-02T02:59:22.219Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41368 (GCVE-0-2023-41368)

    Vulnerability from cvelistv5 – Published: 2023-09-12 01:59 – Updated: 2024-09-26 16:04
    VLAI
    Title
    Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)
    Summary
    The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE S4 HANA ABAP (Manage checkbook apps) Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:01:35.327Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3355675"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T16:02:46.199952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T16:04:32.037Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "S4 HANA ABAP (Manage checkbook apps)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\u003c/p\u003e"
                }
              ],
              "value": "The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T01:59:39.205Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3355675"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-41368",
        "datePublished": "2023-09-12T01:59:39.205Z",
        "dateReserved": "2023-08-29T05:27:56.301Z",
        "dateUpdated": "2024-09-26T16:04:32.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-41369 (GCVE-0-2023-41369)

    Vulnerability from cvelistv5 – Published: 2023-09-12 01:59 – Updated: 2024-09-25 15:33
    VLAI
    Title
    External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
    Summary
    The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP_SE SAP S/4HANA (Create Single Payment application) Affected: 100
    Affected: 101
    Affected: 102
    Affected: 103
    Affected: 104
    Affected: 105
    Affected: 106
    Affected: 107
    Affected: 108
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T19:01:34.245Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://me.sap.com/notes/3369680"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-41369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T15:11:16.316030Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T15:33:02.395Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "SAP S/4HANA (Create Single Payment application)",
              "vendor": "SAP_SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "100"
                },
                {
                  "status": "affected",
                  "version": "101"
                },
                {
                  "status": "affected",
                  "version": "102"
                },
                {
                  "status": "affected",
                  "version": "103"
                },
                {
                  "status": "affected",
                  "version": "104"
                },
                {
                  "status": "affected",
                  "version": "105"
                },
                {
                  "status": "affected",
                  "version": "106"
                },
                {
                  "status": "affected",
                  "version": "107"
                },
                {
                  "status": "affected",
                  "version": "108"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eThe Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\u003c/p\u003e"
                }
              ],
              "value": "The Create Single Payment application of SAP S/4HANA\u00a0- versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment.\u00a0When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the\u00a0entity loops to slow down the browser.\n\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611: Improper Restriction of XML External Entity Reference",
                  "lang": "eng",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-12T01:59:03.570Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "url": "https://me.sap.com/notes/3369680"
            },
            {
              "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2023-41369",
        "datePublished": "2023-09-12T01:59:03.570Z",
        "dateReserved": "2023-08-29T05:27:56.301Z",
        "dateUpdated": "2024-09-25T15:33:02.395Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26832 (GCVE-0-2020-26832)

    Vulnerability from cvelistv5 – Published: 2020-12-09 16:31 – Updated: 2024-08-04 16:03
    VLAI
    Summary
    SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
    CWE
    • Missing Authorization
    Assigner
    sap
    Impacted products
    Vendor Product Version
    SAP SE SAP NetWeaver AS ABAP (SAP Landscape Transformation) Affected: < 2011_1_620
    Affected: < 2011_1_640
    Affected: < 2011_1_700
    Affected: < 2011_1_710
    Affected: < 2011_1_730
    Affected: < 2011_1_731
    Affected: < 2011_1_752
    Affected: < 2020
    Create a notification for this product.
    SAP SE SAP S4 HANA (SAP Landscape Transformation) Affected: < 101
    Affected: < 102
    Affected: < 103
    Affected: < 104
    Affected: < 105
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:03:22.474Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2993132"
              },
              {
                "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                "tags": [
                  "mailing-list",
                  "x_refsource_FULLDISC",
                  "x_transferred"
                ],
                "url": "http://seclists.org/fulldisclosure/2022/May/42"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_620"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_640"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_700"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_710"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_730"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_731"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2011_1_752"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2020"
                }
              ]
            },
            {
              "product": "SAP S4 HANA (SAP Landscape Transformation)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 101"
                },
                {
                  "status": "affected",
                  "version": "\u003c 102"
                },
                {
                  "status": "affected",
                  "version": "\u003c 103"
                },
                {
                  "status": "affected",
                  "version": "\u003c 104"
                },
                {
                  "status": "affected",
                  "version": "\u003c 105"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-19T17:06:20.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2993132"
            },
            {
              "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
              "tags": [
                "mailing-list",
                "x_refsource_FULLDISC"
              ],
              "url": "http://seclists.org/fulldisclosure/2022/May/42"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-26832",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP NetWeaver AS ABAP (SAP Landscape Transformation)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_620"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_640"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_700"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_710"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_730"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_731"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2011_1_752"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "2020"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S4 HANA (SAP Landscape Transformation)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "\u003c",
                                "version_value": "101"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "102"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "103"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "104"
                              },
                              {
                                "version_name": "\u003c",
                                "version_value": "105"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "7.6",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2993132",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2993132"
                },
                {
                  "name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)",
                  "refsource": "FULLDISC",
                  "url": "http://seclists.org/fulldisclosure/2022/May/42"
                },
                {
                  "name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-26832",
        "datePublished": "2020-12-09T16:31:03.000Z",
        "dateReserved": "2020-10-07T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:03:22.474Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-6188 (GCVE-0-2020-6188)

    Vulnerability from cvelistv5 – Published: 2020-02-12 19:46 – Updated: 2024-08-04 08:55
    VLAI
    Summary
    VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.
    CWE
    • Missing Authorization Check
    Assigner
    sap
    References
    Impacted products
    Vendor Product Version
    SAP SE SAP ERP (SAP_APPL) Affected: = 6.0
    Affected: = 6.02
    Affected: = 6.03
    Affected: = 6.04
    Affected: = 6.05
    Affected: = 6.06
    Affected: = 6.16
    Create a notification for this product.
    SAP SE SAP ERP (SAP_FIN) Affected: = 6.17
    Affected: = 6.18
    Affected: = 7.0
    Affected: = 7.20
    Affected: = 7.30
    Create a notification for this product.
    SAP SE SAP S/4 HANA (S4CORE) Affected: = 1.0
    Affected: = 1.01
    Affected: = 1.02
    Affected: = 1.03
    Affected: = 1.04
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T08:55:22.007Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://launchpad.support.sap.com/#/notes/2857511"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "SAP ERP (SAP_APPL)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 6.0"
                },
                {
                  "status": "affected",
                  "version": "= 6.02"
                },
                {
                  "status": "affected",
                  "version": "= 6.03"
                },
                {
                  "status": "affected",
                  "version": "= 6.04"
                },
                {
                  "status": "affected",
                  "version": "= 6.05"
                },
                {
                  "status": "affected",
                  "version": "= 6.06"
                },
                {
                  "status": "affected",
                  "version": "= 6.16"
                }
              ]
            },
            {
              "product": "SAP ERP (SAP_FIN)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 6.17"
                },
                {
                  "status": "affected",
                  "version": "= 6.18"
                },
                {
                  "status": "affected",
                  "version": "= 7.0"
                },
                {
                  "status": "affected",
                  "version": "= 7.20"
                },
                {
                  "status": "affected",
                  "version": "= 7.30"
                }
              ]
            },
            {
              "product": "SAP S/4 HANA (S4CORE)",
              "vendor": "SAP SE",
              "versions": [
                {
                  "status": "affected",
                  "version": "= 1.0"
                },
                {
                  "status": "affected",
                  "version": "= 1.01"
                },
                {
                  "status": "affected",
                  "version": "= 1.02"
                },
                {
                  "status": "affected",
                  "version": "= 1.03"
                },
                {
                  "status": "affected",
                  "version": "= 1.04"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Missing Authorization Check",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-02-12T19:46:09.000Z",
            "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
            "shortName": "sap"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://launchpad.support.sap.com/#/notes/2857511"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cna@sap.com",
              "ID": "CVE-2020-6188",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "SAP ERP (SAP_APPL)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "6.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.02"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.03"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.04"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.05"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.06"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.16"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP ERP (SAP_FIN)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "6.17"
                              },
                              {
                                "version_name": "=",
                                "version_value": "6.18"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.20"
                              },
                              {
                                "version_name": "=",
                                "version_value": "7.30"
                              }
                            ]
                          }
                        },
                        {
                          "product_name": "SAP S/4 HANA (S4CORE)",
                          "version": {
                            "version_data": [
                              {
                                "version_name": "=",
                                "version_value": "1.0"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.01"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.02"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.03"
                              },
                              {
                                "version_name": "=",
                                "version_value": "1.04"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SAP SE"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check."
                }
              ]
            },
            "impact": {
              "cvss": {
                "baseScore": "6.3",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Missing Authorization Check"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812",
                  "refsource": "MISC",
                  "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812"
                },
                {
                  "name": "https://launchpad.support.sap.com/#/notes/2857511",
                  "refsource": "MISC",
                  "url": "https://launchpad.support.sap.com/#/notes/2857511"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "assignerShortName": "sap",
        "cveId": "CVE-2020-6188",
        "datePublished": "2020-02-12T19:46:09.000Z",
        "dateReserved": "2020-01-08T00:00:00.000Z",
        "dateUpdated": "2024-08-04T08:55:22.007Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }