SAP S4core
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in SAP S4core.
By the Year
In 2026 there have been 0 vulnerabilities in SAP S4core. Last year, in 2025 S4core had 1 security vulnerability published. Right now, S4core is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 4.30 |
| 2024 | 2 | 5.95 |
| 2023 | 5 | 5.64 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.10 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 8.80 |
| 2018 | 1 | 4.60 |
It may take a day or so for new S4core vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP S4core Security Vulnerabilities
Privilege Escalation via Missing Auth Checks in SAP S4CORE Journal Management
CVE-2025-42899
4.3 - Medium
- November 11, 2025
SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application.
AuthZ
Privilege Escalation in SAP S/4HANA Finance APM
CVE-2024-37172
5.4 - Medium
- July 09, 2024
SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.
AuthZ
PDCE Elements Priv Escalation: Missing Auth Checks
CVE-2024-39592
6.5 - Medium
- July 09, 2024
Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
AuthZ
Privilege Escalation via Missing Auth in S4CORE Manage Purchase Contracts
CVE-2023-40625
5.4 - Medium
- September 12, 2023
S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.
AuthZ
SAP S/4HANA Journal Entry Template Tampering via Altered Save Request
CVE-2023-35870
7.3 - High
- July 11, 2023
When creating a journal entry template in SAP S/4HANA (Manage Journal Entry Template) - versions S4CORE 104, 105, 106, 107, an attacker could intercept the save request and change the template, leading to an impact on confidentiality and integrity of the resource. Furthermore, a standard template could be deleted, hence making the resource temporarily unavailable.
Incorrect Permission Assignment for Critical Resource
SAP Vendor Master Hierarchy Auth Bypass Leads to Data Modification
CVE-2023-32112
5.5 - Medium
- May 09, 2023
Vendor Master Hierarchy - versions SAP_APPL 500, SAP_APPL 600, SAP_APPL 602, SAP_APPL 603, SAP_APPL 604, SAP_APPL 605, SAP_APPL 606, SAP_APPL 616, SAP_APPL 617, SAP_APPL 618, S4CORE 100, does not perform necessary authorization checks for an authenticated user to access some of its function. This could lead to modification of data impacting the integrity of the system.
AuthZ
XSS in SAP AIF UI allows remote image injection
CVE-2023-29110
5.4 - Medium
- April 11, 2023
The SAP Application Interface (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 100, 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows the usage HTML tags. An authorized attacker can use some of the basic HTML codes such as heading, basic formatting and lists, then an attacker can inject images from the foreign domains. After successful exploitations, an attacker can cause limited impact on the confidentiality and integrity of the application.
XSS
SAP AIF Excel Formula Injection
CVE-2023-29109
4.6 - Medium
- April 11, 2023
The SAP Application Interface Framework (Message Dashboard) - versions AIF 703, AIFX 702, S4CORE 101, SAP_BASIS 755, 756, SAP_ABA 75C, 75D, 75E, application allows an Excel formula injection. An authorized attacker can inject arbitrary Excel formulas into fields like the Tooltip of the Custom Hints List. Once the victim opens the downloaded Excel document, the formula will be executed. As a result, an attacker can cause limited impact on the confidentiality and integrity of the application.
CSV Injection
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability
CVE-2021-33701
9.1 - Critical
- September 15, 2021
DMIS Mobile Plug-In or SAP S/4HANA, versions - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 710, 2011_1_731, 710, 2011_1_752, 2020, SAPSCORE 125, S4CORE 102, 102, 103, 104, 105, allows an attacker with access to highly privileged account to execute manipulated query in NDZT tool to gain access to Superuser account, leading to SQL Injection vulnerability, that highly impacts systems Confidentiality, Integrity and Availability.
SQL Injection
SAP Enterprise Financial Services (fixed in SAPSCORE 1.13
CVE-2018-2484
8.8 - High
- January 08, 2019
SAP Enterprise Financial Services (fixed in SAPSCORE 1.13, 1.14, 1.15; S4CORE 1.01, 1.02, 1.03; EA-FINSERV 1.10, 2.0, 5.0, 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0; Bank/CFM 4.63_20) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
AuthZ
SAP Enterprise Financial Services (SAPSCORE 1.11
CVE-2018-2419
4.6 - Medium
- May 09, 2018
SAP Enterprise Financial Services (SAPSCORE 1.11, 1.12; S4CORE 1.01, 1.02; EA-FINSERV 6.04, 6.05, 6.06, 6.16, 6.17, 6.18, 8.0) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for SAP S4core or by SAP? Click the Watch button to subscribe.
