SAP S4hana
By the Year
In 2024 there have been 0 vulnerabilities in SAP S4hana . Last year S4hana had 4 security vulnerabilities published. Right now, S4hana is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 4 | 5.58 |
2022 | 6 | 6.65 |
2021 | 1 | 8.80 |
2020 | 5 | 5.18 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new S4hana vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP S4hana Security Vulnerabilities
The Statutory Reporting application has a vulnerable file storage location
CVE-2023-42475
4.3 - Medium
- October 10, 2023
The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.
Information Disclosure
S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges
CVE-2023-42473
5.4 - Medium
- October 10, 2023
S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application.
AuthZ
SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps
CVE-2023-40306
6.1 - Medium
- September 08, 2023
SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.
Open Redirect
SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user
CVE-2023-24524
6.5 - Medium
- February 14, 2023
SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.
AuthZ
Within SAP S/4HANA - versions S4CORE 101
CVE-2022-31597
5.4 - Medium
- July 12, 2022
Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
AuthZ
Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101
CVE-2022-32248
5.3 - Medium
- July 12, 2022
Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data.
Improper Input Validation
Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data
CVE-2022-31589
6.5 - Medium
- June 14, 2022
Due to improper authorization check, business users who are using Israeli File from SHAAM program (/ATL/VQ23 transaction), are granted more than needed authorization to perform certain transaction, which may lead to users getting access to data that would otherwise be restricted.
S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor
CVE-2022-22542
6.5 - Medium
- February 09, 2022
S/4HANA Supplier Factsheet exposes the private address and bank details of an Employee Business Partner with Supplier Role, AND Enterprise Search for Customer, Supplier and Business Partner objects exposes the private address fields of Employee Business Partners, to an actor that is not explicitly authorized to have access to that information, which could compromise Confidentiality.
Information Disclosure
The F0743 Create Single Payment application of SAP S/4HANA - versions 100
CVE-2022-22531
8.1 - High
- January 14, 2022
The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.
The F0743 Create Single Payment application of SAP S/4HANA - versions 100
CVE-2022-22530
8.1 - High
- January 14, 2022
The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to inject dangerous content or malicious code which could result in critical information being modified or completely compromise the availability of the application.
Due to improper input sanitization, an authenticated user with certain specific privileges
CVE-2021-38176
8.8 - High
- September 14, 2021
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query or inject ABAP code to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.
SQL Injection
SAP ERP and SAP S/4 HANA
CVE-2020-6316
4.3 - Medium
- November 10, 2020
SAP ERP and SAP S/4 HANA allows an authenticated user to see cost records to objects to which he has no authorization in PS reporting, leading to Missing Authorization check.
AuthZ
Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user
CVE-2020-6212
5.4 - Medium
- April 24, 2020
Egypt localized withholding tax reports Clearing of Liabilities and Remittance Statement and Summary in SAP ERP (versions 618, 730, EAPPLGLO 607) and S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user, allowing reading or modification of some tax reports, due to Missing Authorization Check.
AuthZ
SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports
CVE-2020-6214
4.7 - Medium
- April 14, 2020
SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system.
AuthZ
Under certain conditions
CVE-2020-6184
6.1 - Medium
- February 12, 2020
Under certain conditions, ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), does not sufficiently encode user-controlled inputs, resulting in Reflected Cross-Site Scripting (XSS) vulnerability.
XSS
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54)
CVE-2020-6185
5.4 - Medium
- February 12, 2020
Under certain conditions ABAP Online Community in SAP NetWeaver (SAP_BASIS version 7.40) and SAP S/4HANA (SAP_BASIS versions 7.50, 7.51, 7.52, 7.53, 7.54), allows an authenticated attacker to store a malicious payload which results in Stored Cross Site Scripting vulnerability.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for SAP S4hana or by SAP? Click the Watch button to subscribe.