CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27436 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27436
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27433 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27433
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-27430 – Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
https://notcve.org/view.php?id=CVE-2025-27430
11 Mar 2025 — Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability • https://me.sap.com/notes/3561861 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26656 – Missing Authorization check in S/4HANA (Manage Purchasing Info Records)
https://notcve.org/view.php?id=CVE-2025-26656
11 Mar 2025 — OData Service in Manage Purchasing Info Records does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on integrity of the application. • https://me.sap.com/notes/3474392 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-23188 – Missing Authorization check in SAP S/4HANA (RBD)
https://notcve.org/view.php?id=CVE-2025-23188
11 Mar 2025 — An authenticated user with low privileges can exploit a missing authorization check in an IBS module of FS-RBD, allowing unauthorized access to perform actions beyond their intended permissions. This causes a low impact on integrity with no impact on confidentiality and availability. • https://me.sap.com/notes/3557131 • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2024-34691 – Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
https://notcve.org/view.php?id=CVE-2024-34691
11 Jun 2024 — Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system. Administrar archivos de pagos entrantes (F1680) de SAP S/4HANA no realiza las verificaciones de autorización necesarias para un usuario autenticado, lo que resulta en una escalada de privilegios. Como resultado, tiene un alto impac... • https://me.sap.com/notes/3466175 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-42475 – Information Disclosure Vulnerability in Statutory Reporting
https://notcve.org/view.php?id=CVE-2023-42475
10 Oct 2023 — The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality. La aplicación Statutory Reporting tiene una ubicación de almacenamiento de archivos vulnerable, lo que potencialmente permite a un atacante con pocos privilegios leer archivos del servidor con un impacto mínimo en la confidencialidad. • https://me.sap.com/notes/3222121 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 16EXPL: 0CVE-2022-31589
https://notcve.org/view.php?id=CVE-2022-31589
14 Jun 2022 — Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted. Debido a una comprobación inapropiada de la autorización, a los usuarios de la empresa usando el programa Israeli File from SHAAM (transacción /ATL/VQ23), les es concedida más autorización de la necesaria para llevar a cabo determi... • https://launchpad.support.sap.com/#/notes/3203065 • CWE-863: Incorrect Authorization •