Description
The following function modules do not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
- COD_CONTRACT_CREATEFROMDAT
- COD_CUSTHIER_BTE_CHANGE
- COD_CUSTHIER_BTE_DELETE
- COD_REPLICATE_CONTRACT_OUT
- COD_REPLICATE_SALES_ORDER_OUT
- COD_SALESORDER_CREATEFROMDAT2
- COD_CONTRACT_SIMULATE
- COD_ERP_GET_DOC_FLOW
- COD_LORD_GET_PRINT_PREVIEW
- COD_SALESORDER_SIMULATE
Some well-known impacts of Missing Authorization checks are –
- abuse functionality restricted to a particular user group
- read, modify or delete restricted data
Available fix and Supported packages
- CODERINT | 600 | 600
- S4CORE | 100 | 100
- S4CORE | 101 | 101
- S4CORE | 102 | 102
- S4CORE | 103 | 103
- CODERINT 600 | SAPK-60043INCODERINT |
- S4CORE 103 | SAPK-10301INS4CORE |
- S4CORE 100 | SAPK-10008INS4CORE |
- S4CORE 101 | SAPK-10106INS4CORE |
- S4CORE 102 | SAPK-10204INS4CORE |
Affected component
- LO-INT-COD
CRM On Demand Integration
CVSS
Score: 6.3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2740951