Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Missing authority check in Demand Planning transaction, SAP security note 1428998


In general when starting a transaction, autorization checks are executed to verify that the user can access the transaction. Sometimes transactions are called during program execution. In that case, the program should execute the authorization check itself before calling the transaction.
In this note, authorization checks are added when programs are starting the transactions SE18 for BADI maintenance and /SAPAPO/MC96B for forecast profile maintenance.

Available fix and Supported packages

  • SCM | 410 | 410
  • SCM | 500 | 500
  • SCM | 510 | 510
  • SCM | 700 | 700
  • SCM 410 | SAPKY41020 |
  • SCM 500 | SAPKY50017 |
  • SCM 510 | SAPKY51013 |
  • SCM 700 | SAPKY70006 |

Affected component

    Demand Planning


Score: 0


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.




More to explorer

SAP Cloud Connector Certificate Validation Issue

Date of Release: February 13, 2024 Advisory ID: CVE-2024-25642 Affected Software: SAP Cloud Connector Versions Affected: 2.15.0 to 2.16.1 Vulnerability Summary:A critical vulnerability,

Protect Your SAP with RedRays Security Platform

Explore the Power of Our Scanner with an Interactive Prototype Below