CVE-2020-6301 — Missing Authorization in SAP HCM Travel Management

CWE-862 — Missing Authorization3 documents3 sources

Severity

8.1HIGHNVD

EPSS

0.2%

top 60.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP ERP SAP HCM Travel Management

Timeline

PublishedAug 12

Latest updateMay 24

Description

SAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify and settle trips, resulting in escalation of privileges, due to Missing Authorization Check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDsap/hcm_travel_management8 versions+7

▶CVEListV5sap_se/sap_erp< 600+7

🔴Vulnerability Details

GHSA

GHSA-jrpm-x59j-5pxj: SAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify↗2022-05-24

▶

CVEList

CVE-2020-6301: SAP ERP (HCM Travel Management), versions - 600, 602, 603, 604, 605, 606, 607, 608, allows an authenticated but unauthorized attacker to read, modify↗2020-08-12

▶