Description
After implementing note 1235367, which introduced a new authorization object (C_APO_CVC) to control user rights for CVC maintenance by POS, some authorization check is still missing.
Information disclosure due to missing authorization checks in some APO transactions.
Available fix and Supported packages
- SCM | 410 | 410
- SCM | 500 | 500
- SCM | 510 | 510
- SCM | 700 | 700
- SCM 500 | SAPKY50015 |
- SCM 700 | SAPKY70002 |
- SCM 410 | SAPKY41019 |
- SCM 510 | SAPKY51009 |
Affected component
- SCM-APO-FCS-BF
Basic Functions
CVSS
Score: 0
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1262016