Missing Authorization check in Travel Management, SAP security note 2847817

Description

Travel Management Fiori Applications (MTR V2 and MTE V2) do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Some well-known impacts of Missing Authorization check are –

abuse functionality restricted to a particular user group
read, modify or delete restricted data

Available fix and Supported packages

EA-HRGXX | 608 | 608
EA-HRGXX 608 | SAPK-60873INEAHRGXX |

Affected component

CVSS

Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2847817

Vahagn Vardanian

Missing Authorization check in Travel Management, SAP security note 2847817

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control
#Authorization-error
#Authorization-profile

Explore More

SAP Security Patch Day – August 2025

SAP Security Training – Why Businesses Can’t Ignore It Anymore

SAP Security Patch Day – July 2025

Registration Open: SAP Security Training – August 2025 | Limited Seats

Vahagn Vardanian

Missing Authorization check in Travel Management, SAP security note 2847817

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control#Authorization-error#Authorization-profile

Explore More

SAP Security Patch Day – August 2025

SAP Security Training – Why Businesses Can’t Ignore It Anymore

SAP Security Patch Day – July 2025

Registration Open: SAP Security Training – August 2025 | Limited Seats

Special offer for SAP Security Udemy course!

$ 9.99

#Access-control
#Authorization-error
#Authorization-profile