Privilege Escalation via Missing Auth in S4CORE Manage Purchase Contracts
CVE-2023-40625 Published on September 12, 2023
Missing Authorization check in SAP Manage Purchase Contracts App
S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.
Vulnerability Analysis
CVE-2023-40625 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-40625 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-40625
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-40625 are published in SAP S4core:
Affected Versions
SAP_SE SAP Manage Purchase Contracts App:- Version S4CORE 102 is affected.
- Version S4CORE 103 is affected.
- Version S4CORE 104 is affected.
- Version S4CORE 105 is affected.
- Version S4CORE 106 is affected.
- Version S4CORE 107 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.