CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2024-45282 – HTTP Verb Tampering in SAP S/4 HANA(Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2024-45282
08 Oct 2024 — Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. • https://me.sap.com/notes/3251893 • CWE-650: Trusting HTTP Permission Methods on the Server Side •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-41368 – Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)
https://notcve.org/view.php?id=CVE-2023-41368
12 Sep 2023 — The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call. El servicio OData de S4 HANA (Manage checkbook apps), versiones 102, 103, 104, 105, 106, 107, permite a un atacante cambiar el nombre del checkbook simulando una llamada OData de actualización. • https://me.sap.com/notes/3355675 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0CVE-2023-41369 – External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application)
https://notcve.org/view.php?id=CVE-2023-41369
12 Sep 2023 — The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser. La aplicación Create Single Payment de SAP S/4HANA - versiones 100, 101, 102, 103, 104, 105, 106, 107, 108, permite a un atacante cargar el archivo XML como datos adjuntos. Cuando se hace clic e... • https://me.sap.com/notes/3369680 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.6EPSS: 0%CPEs: 13EXPL: 3CVE-2020-26832 – SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization
https://notcve.org/view.php?id=CVE-2020-26832
09 Dec 2020 — SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailabl... • https://packetstorm.news/files/id/167229 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-6273
https://notcve.org/view.php?id=CVE-2020-6273
12 Aug 2020 — SAP S/4 HANA (Fiori UI for General Ledger Accounting), versions 103, 104, does not perform necessary authorization checks for an authenticated user working with attachment service, allowing the attacker to delete attachments due to Missing Authorization Check. SAP S/4 HANA (Fiori UI para General Ledger Accounting), versiones 103, 104, no lleva a cabo unas comprobaciones de autorización necesarias para un usuario autenticado que trabaja con el servicio attachment, permitiendo al atacante eliminar archivos ad... • https://launchpad.support.sap.com/#/notes/2885671 • CWE-862: Missing Authorization •