Authorization Flaw in SAP S/4 HANA affecting Fiori UI for General Ledger Accounting
CVE-2020-6273

4.3MEDIUM

Key Information:

Vendor: SAP
Status: SAP S/4 Hana (fiori Ui For General Ledger Accounting)
Vendor: CVE Published:; 12 August 2020

Summary

The Fiori UI for General Ledger Accounting in SAP S/4 HANA versions 103 and 104 is vulnerable due to inadequate authorization checks on the attachment service. Authenticated users can exploit this oversight to delete attachments without proper authorization, leading to potential data loss and integrity issues.

Affected Version(s)

SAP S/4 HANA (Fiori UI for General Ledger Accounting) < 103 < 103

SAP S/4 HANA (Fiori UI for General Ledger Accounting) < 104 < 104

References

https://launchpad.support.sap.com/#/notes/2885671

x_refsource_MISC

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 12, 2020
Vulnerability Reserved
Jan 8, 2020