FKIE_CVE-2020-6268
Vulnerability from fkie_nvd - Published: 2020-06-10 13:15 - Updated: 2026-06-17 03:22
Severity
Summary
Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | erp_\(ea-finserv\) | 600 | |
| sap | erp_\(ea-finserv\) | 603 | |
| sap | erp_\(ea-finserv\) | 604 | |
| sap | erp_\(ea-finserv\) | 605 | |
| sap | erp_\(ea-finserv\) | 606 | |
| sap | erp_\(ea-finserv\) | 616 | |
| sap | erp_\(ea-finserv\) | 617 | |
| sap | erp_\(ea-finserv\) | 618 | |
| sap | erp_\(ea-finserv\) | 800 | |
| sap | erp_\(s4core\) | 101 | |
| sap | erp_\(s4core\) | 102 | |
| sap | erp_\(s4core\) | 103 | |
| sap | erp_\(s4core\) | 104 |
{
"affected": [
{
"affectedData": [
{
"product": "SAP ERP (Statutory Reporting for Insurance Companies)",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "\u003c EA-FINSERV 600"
},
{
"status": "affected",
"version": "\u003c 603"
},
{
"status": "affected",
"version": "\u003c 604"
},
{
"status": "affected",
"version": "\u003c 605"
},
{
"status": "affected",
"version": "\u003c 606"
},
{
"status": "affected",
"version": "\u003c 616"
},
{
"status": "affected",
"version": "\u003c 617"
},
{
"status": "affected",
"version": "\u003c 618"
},
{
"status": "affected",
"version": "\u003c 800S4CORE 101"
},
{
"status": "affected",
"version": "\u003c 102"
},
{
"status": "affected",
"version": "\u003c 103"
},
{
"status": "affected",
"version": "\u003c 104"
}
]
}
],
"source": "cna@sap.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):600:*:*:*:*:*:*:*",
"matchCriteriaId": "EDDEDCE8-4D47-4DF8-B695-3DD8F038E8CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):603:*:*:*:*:*:*:*",
"matchCriteriaId": "F74C18C0-9673-4FBF-A92A-6AE4361B67C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):604:*:*:*:*:*:*:*",
"matchCriteriaId": "81FEFC98-311D-483D-B1EA-AC557F8D0FC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):605:*:*:*:*:*:*:*",
"matchCriteriaId": "CC594DEE-4BFB-487C-8872-0669D7586D89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):606:*:*:*:*:*:*:*",
"matchCriteriaId": "2AD55C9B-46DD-4A49-9F87-EEE104B770B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):616:*:*:*:*:*:*:*",
"matchCriteriaId": "009B1BB0-1746-4EA1-AFC6-27D27F46C555",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):617:*:*:*:*:*:*:*",
"matchCriteriaId": "2F7CD93E-832C-4DBA-95E2-8BDBF18FBD96",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):618:*:*:*:*:*:*:*",
"matchCriteriaId": "9A026D77-9B58-43F4-B308-435ACC77D203",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(ea-finserv\\):800:*:*:*:*:*:*:*",
"matchCriteriaId": "F28DE352-9903-4E6A-BC74-2BFD971F82F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):101:*:*:*:*:*:*:*",
"matchCriteriaId": "B2B21140-C45E-4F25-95E3-0C741FB5EF43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):102:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BEF0EE-5FF8-4B55-AAA2-D99D7EE43DAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):103:*:*:*:*:*:*:*",
"matchCriteriaId": "F355C445-63CA-44C9-A49C-6AC08EF4460E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sap:erp_\\(s4core\\):104:*:*:*:*:*:*:*",
"matchCriteriaId": "3D6A0B88-C577-4A59-815D-646EF9ACF5F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check."
},
{
"lang": "es",
"value": "Statutory Reporting de Insurance Companies en SAP ERP (EA-FINSERV versiones - 600, 603, 604, 605, 606, 616, 617, 618, 800 y S4CORE versiones 101, 102, 103, 104) no ejecuta las comprobaciones de autorizaci\u00f3n requeridas para un usuario autenticado, que permite a un atacante visualizar y manipular determinados datos restringidos conllevando a una Falta de Verificaci\u00f3n de Autorizaci\u00f3n"
}
],
"id": "CVE-2020-6268",
"lastModified": "2026-06-17T03:22:58.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "cna@sap.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-10T13:15:18.290",
"references": [
{
"source": "cna@sap.com",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2906996"
},
{
"source": "cna@sap.com",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://launchpad.support.sap.com/#/notes/2906996"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775"
}
],
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…