5.4

CVE-2023-40625

EPSS 0.15%
Published 12.09.2023 03:15:14
Last modified 21.11.2024 08:19:50
Source cna@sap.com
Teams watchlist Login
Open Login

S4CORE (Manage Purchase Contracts App) - versions 102, 103, 104, 105, 106, 107, does not perform necessary authorization checks for an authenticated user. This could allow an attacker to perform unintended actions resulting in escalation of privileges which has low impact on confidentiality and integrity with no impact on availibility of the system.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

SAP ≫ S4core Version102

SAP ≫ S4core Version103

SAP ≫ S4core Version104

SAP ≫ S4core Version105

SAP ≫ S4core Version106

SAP ≫ S4core Version107

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.363

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
cna@sap.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Vendor Advisory

https://me.sap.com/notes/3326361

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2023-40625

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-40625

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-40625

EUVD