CVSS: 3.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-23191 – Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
https://notcve.org/view.php?id=CVE-2025-23191
11 Feb 2025 — Cached values belonging to the SAP OData endpoint in SAP Fiori for SAP ERP could be poisoned by modifying the Host header value in an HTTP GET request. An attacker could alter the `atom:link` values in the returned metadata redirecting them from the SAP server to a malicious link set by the attacker. Successful exploitation could cause low impact on integrity of the application. • https://me.sap.com/notes/3426825 • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2023-36924 – Log Injection vulnerability in SAP ERP Defense Forces and Public Security
https://notcve.org/view.php?id=CVE-2023-36924
11 Jul 2023 — While using a specific function, SAP ERP Defense Forces and Public Security - versions 600, 603, 604, 605, 616, 617, 618, 802, 803, 804, 805, 806, 807, allows an authenticated attacker with admin privileges to write arbitrary data to the syslog file. On successful exploitation, an attacker could modify all the syslog data causing a complete compromise of integrity of the application. • https://me.sap.com/notes/3351410 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2022-31589
https://notcve.org/view.php?id=CVE-2022-31589
14 Jun 2022 — Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. Debido a una comprobación inapropiada de la autorización, a los usuarios de la empresa usando el programa Israeli File from SHAAM (transacción /ATL/VQ23), les es concedida más autorización de la necesaria para llevar a cabo determi... • https://launchpad.support.sap.com/#/notes/3203065 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-22535
https://notcve.org/view.php?id=CVE-2022-22535
09 Feb 2022 — SAP ERP HCM Portugal - versions 600, 604, 608, does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. SAP ERP HCM Portugal - versiones 600, 604, 608, no lleva a cabo las comprobaciones de autorización necesarias para un informe que lee los datos de la nómina de los empleados de una determinada área. Com... • https://launchpad.support.sap.com/#/notes/3126489 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42062
https://notcve.org/view.php?id=CVE-2021-42062
10 Nov 2021 — SAP ERP HCM Portugal does not perform necessary authorization checks for a report that reads the payroll data of employees in a certain area. Since the affected report only reads the payroll information, the attacker can neither modify any information nor cause availability impacts. SAP ERP HCM Portugal no lleva a cabo las comprobaciones de autorización necesarias para un informe que lee los datos de las nóminas de los empleados de un área determinada. Como el informe afectado sólo lee la información de la ... • https://launchpad.support.sap.com/#/notes/3104456 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 20EXPL: 0CVE-2021-38164
https://notcve.org/view.php?id=CVE-2021-38164
14 Sep 2021 — SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to. SAP ERP Financi... • https://launchpad.support.sap.com/#/notes/3068582 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27605
https://notcve.org/view.php?id=CVE-2021-27605
13 Apr 2021 — SAP's HCM Travel Management Fiori Apps V2, version - 608, does not perform proper authorization check, allowing an authenticated but unauthorized attacker to read personnel numbers of employees, resulting in escalation of privileges. However, the attacker can only read some information like last name, first name of the employees, so there is some loss of confidential information, Integrity and Availability are not impacted. HCM Travel Management Fiori Apps V2 de SAP, versión - 608, no lleva a cabo una compr... • https://launchpad.support.sap.com/#/notes/3025054 • CWE-862: Missing Authorization •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26807
https://notcve.org/view.php?id=CVE-2020-26807
10 Nov 2020 — SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrect default filesystem permissions are set in its installation folder which allows anyone to modify the files in the folder. SAP ERP Client para E-Bilanz, versión - 1.0, la instalación establece permisos del sistema de archivos predeterminados Incorrectos que están configurados en su carpeta de instalación, lo que permite que cualquiera pueda modificar los archivos en la carpeta • https://launchpad.support.sap.com/#/notes/2971112 • CWE-276: Incorrect Default Permissions •
CVSS: 4.3EPSS: 0%CPEs: 14EXPL: 0CVE-2020-6316
https://notcve.org/view.php?id=CVE-2020-6316
10 Nov 2020 — SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check. SAP ERP y SAP S/4 HANA, permiten a un usuario autenticado visualizar los registros de costos de objetos para los que no cuenta con autorización en los reportes de PS, conllevando a una Falta de Comprobación de Autorización • https://launchpad.support.sap.com/#/notes/2944188 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 13EXPL: 0CVE-2020-6268
https://notcve.org/view.php?id=CVE-2020-6268
10 Jun 2020 — Statutory Reporting for Insurance Companies in SAP ERP (EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain restricted data leading to Missing Authorization Check. Statutory Reporting de Insurance Companies en SAP ERP (EA-FINSERV versiones - 600, 603, 604, 605, 606, 616, 617, 618, 800 y S4CORE versiones 101, 102, 103, 104) no... • https://launchpad.support.sap.com/#/notes/2906996 • CWE-862: Missing Authorization •