OData API Bypass SAP S4 HANA Checkbook Apps v102-v107 Unauthorized rename
CVE-2023-41368 Published on September 12, 2023
Insecure Direct Object Reference (IDOR) vulnerability in S4 HANA (Manage checkbook apps)
The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.
Vulnerability Analysis
CVE-2023-41368 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2023-41368 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
Products Associated with CVE-2023-41368
Want to know whenever a new CVE is published for SAP S4 Hana? stack.watch will email you.
Affected Versions
SAP_SE S4 HANA ABAP (Manage checkbook apps):- Version 102 is affected.
- Version 103 is affected.
- Version 104 is affected.
- Version 105 is affected.
- Version 106 is affected.
- Version 107 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.