SAP S4 Hana

SAP S/4 HANA: Authenticated User Can Configure Unauthorized Field in Custom UI
CVE-2025-43003 6.4 - Medium - May 13, 2025

SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application.

Exposed Dangerous Method or Function

OData MERGE bypasses read-only fields in Bank Statement Draft
CVE-2024-45282 5.3 - Medium - October 08, 2024

Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.

Trusting HTTP Permission Methods on the Server Side

SAP S/4HANA Privilege Escalation via Auth Check Bypass
CVE-2024-34691 6.5 - Medium - June 11, 2024

Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.

AuthZ

SAP S/4HANA Create Single Payment XML Upload DoS via Entity Loop
CVE-2023-41369 4.3 - Medium - September 12, 2023

The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

XXE

OData API Bypass SAP S4 HANA Checkbook Apps v102-v107 Unauthorized rename
CVE-2023-41368 5.3 - Medium - September 12, 2023

The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

Insecure Direct Object Reference / IDOR

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105
CVE-2020-26832 7.6 - High - December 09, 2020

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.

AuthZ

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600
CVE-2020-6188 - February 12, 2020

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.