Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

Missing Authorization Check in Mapping Function Module, SAP security note 1488453

Description

An authenticated user can use functionality of condition cross-client customizing download from ERP to CRM to which access should be restricted. A table name is used as an input without further checking in the program.

Available fix and Supported packages

  • BBPCRM | 400 | 400
  • BBPCRM | 500 | 500
  • BBPCRM | 520 | 520
  • BBPCRM | 600 | 600
  • BBPCRM | 700 | 700
  • BBPCRM | 701 | 701
  • BBPCRM 400 | SAPKU40018 |
  • BBPCRM 701 | SAPKU70102 |
  • BBPCRM 500 | SAPKU50018 |
  • BBPCRM 520 | SAPKU52011 |
  • BBPCRM 600 | SAPKU60009 |
  • BBPCRM 700 | SAPKU70009 |

Affected component

    CRM-MD-CON-IF
    Exchange of Condition Records and Customizing Data

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1488453

TAGS

#Authorization
#authorization-check
#Condition-Exchange
#Cross-Client-Customizing-Download

More to explorer