Missing Authorization check in Travel Management, SAP security note 2847817

Description

Travel Management Fiori Applications (MTR V2 and MTE V2) do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.

Some well-known impacts of Missing Authorization check are –

abuse functionality restricted to a particular user group
read, modify or delete restricted data

Available fix and Supported packages

EA-HRGXX | 608 | 608
EA-HRGXX 608 | SAPK-60873INEAHRGXX |

Affected component

CVSS

Score: 4.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2847817

Vahagn Vardanian

Missing Authorization check in Travel Management, SAP security note 2847817

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control
#Authorization-error
#Authorization-profile

More to explorer

How the SAP Penetration Testing Process at RedRays Works

Local Privilege Escalation Vulnerability in SAP SAPControl

[PoC] SAP PING PONG – XSS and URL Redirection Vulnerabilities

[PoC] SAP Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java

Vahagn Vardanian

Missing Authorization check in Travel Management, SAP security note 2847817

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

#Access-control#Authorization-error#Authorization-profile

More to explorer

How the SAP Penetration Testing Process at RedRays Works

Local Privilege Escalation Vulnerability in SAP SAPControl

[PoC] SAP PING PONG – XSS and URL Redirection Vulnerabilities

[PoC] SAP Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java

Special offer for SAP Security Udemy course!

$ 9.99

#Access-control
#Authorization-error
#Authorization-profile