CVE-2020-6204 — Missing Authorization in SE SAP Treasury AND Risk Management

CWE-862 — Missing Authorization4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 54.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Treasury AND Risk Management SAP Treasury AND Risk Management

Timeline

PublishedMar 10

Latest updateMay 24

Description

The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more records than it should be when selecting and displaying the contract number, leading to Missing Authorization Check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_treasury_and_risk_management< 600+12

▶NVDsap/treasury_and_risk_management13 versions+12

🔴Vulnerability Details

GHSA

GHSA-whqr-v2xf-6j78: The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and↗2022-05-24

▶

CVEList

CVE-2020-6204: The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and↗2020-03-10

▶

💥Exploits & PoCs

Nuclei

DELMIA Apriso - Command Injection

▶