CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27436 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27436
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27433 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27433
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-27430 – Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
https://notcve.org/view.php?id=CVE-2025-27430
11 Mar 2025 — Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability • https://me.sap.com/notes/3561861 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26656 – Missing Authorization check in S/4HANA (Manage Purchasing Info Records)
https://notcve.org/view.php?id=CVE-2025-26656
11 Mar 2025 — OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application. • https://me.sap.com/notes/3474392 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23188 – Missing Authorization check in SAP S/4HANA (RBD)
https://notcve.org/view.php?id=CVE-2025-23188
11 Mar 2025 — An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability. • https://me.sap.com/notes/3557131 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-34691 – Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
https://notcve.org/view.php?id=CVE-2024-34691
11 Jun 2024 — Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system. Administrar archivos de pagos entrantes (F1680) de SAP S/4HANA no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un alto impac... • https://me.sap.com/notes/3466175 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-21736 – Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
https://notcve.org/view.php?id=CVE-2024-21736
09 Jan 2024 — SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application. SAP S/4HANA Finance for (Advanced Payment Management): versiones SAPSCORE 128, S4CORE 107, no realiza las comprobaciones de autorización necesarias. Se podría activar una importación de funciones que permitiera al a... • https://me.sap.com/notes/3260667 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-42475 – Information Disclosure Vulnerability in Statutory Reporting
https://notcve.org/view.php?id=CVE-2023-42475
10 Oct 2023 — The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality. La aplicación Statutory Reporting tiene una ubicación de almacenamiento de archivos vulnerable, lo que potencialmente permite a un atacante con pocos privilegios leer archivos del servidor con un impacto mínimo en la confidencialidad. • https://me.sap.com/notes/3222121 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42473 – Missing Authorization Check In S/4HANA (Manage Withholding Tax Items)
https://notcve.org/view.php?id=CVE-2023-42473
10 Oct 2023 — S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application. S/4HANA Manage (Artículos de retención de impuestos): versión 106, no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios que tiene un impacto bajo en la confidencialidad e integridad de la ... • https://me.sap.com/notes/3219846 • CWE-862: Missing Authorization •