Sap: >> S/4hana Security Vulnerabilities
During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-04-14
Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-04-14
An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability.
CVSS Score
9.9
EPSS Score
0.0
Published
2026-02-10
SAP S/4HANA Finance (Advanced Payment
Management) does not perform necessary authorization check for an authenticated
user, resulting in escalation of privileges. As a result, it has a low impact
to confidentiality and availability but there is no impact on the integrity.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-07-09
The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.
CVSS Score
4.3
EPSS Score
0.002
Published
2023-10-10
S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application.
CVSS Score
5.4
EPSS Score
0.001
Published
2023-10-10
SAP S/4HANA Manage Catalog Items and Cross-Catalog searches Fiori apps allow an attacker to redirect users to a malicious site due to insufficient URL validation. As a result, it may have a slight impact on confidentiality and integrity.
CVSS Score
6.1
EPSS Score
0.001
Published
2023-09-08
SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.
CVSS Score
6.5
EPSS Score
0.003
Published
2023-02-14
Within SAP S/4HANA - versions S4CORE 101, 102, 103, 104, 105, 106, SAPSCORE 127, the application business partner extension for Spain/Slovakia does not perform necessary authorization checks for a low privileged authenticated user over the network, resulting in escalation of privileges leading to low impact on confidentiality and integrity of the data.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-07-12
Due to missing input validation in the Manage Checkbooks component of SAP S/4HANA - version 101, 102, 103, 104, 105, 106, an attacker could insert or edit the value of an existing field in the database. This leads to an impact on the integrity of the data.
CVSS Score
5.3
EPSS Score
0.003
Published
2022-07-12
Page 1