Privilege Escalation via Missing Auth in S4CORE Manage Purchase Contracts
CVE-2023-40625 Published on September 12, 2023
Missing Authorization check in SAP Manage Purchase Contracts App
S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.
Vulnerability Analysis
CVE-2023-40625 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2023-40625 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-40625
Want to know whenever a new CVE is published for SAP S4core? stack.watch will email you.
Affected Versions
SAP_SE SAP Manage Purchase Contracts App:- Version S4CORE 102 is affected.
- Version S4CORE 103 is affected.
- Version S4CORE 104 is affected.
- Version S4CORE 105 is affected.
- Version S4CORE 106 is affected.
- Version S4CORE 107 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.