Sap S 4 Hana vulnerabilities

CVE-2026-0498 [HIGH] CWE-94 CVE-2026-0498: SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vul SAP S/4HANA (Private Cloud and On-Premise) allows an attacker with admin privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code/OS commands into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of fu

CVE-2024-45282 [MEDIUM] CWE-650 CVE-2024-45282: Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.

CVE-2024-34691 [MEDIUM] CWE-862 CVE-2024-34691: Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.

CVE-2023-41368 [MEDIUM] CWE-639 CVE-2023-41368: The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, al The OData service of the S4 HANA (Manage checkbook apps) - versions 102, 103, 104, 105, 106, 107, allows an attacker to change the checkbook name by simulating an update OData call.

CVE-2023-41369 [MEDIUM] CWE-611 CVE-2023-41369: The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 1 The Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, 107, 108, allows an attacker to upload the XML file as an attachment. When clicked on the XML file in the attachment section, the file gets opened in the browser to cause the entity loops to slow down the browser.

CVE-2023-24524 [MEDIUM] CWE-862 CVE-2023-24524: SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check SAP S/4 HANA Map Treasury Correspondence Format Data does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to delete the data with a high impact to availability.

CVE-2020-26832 [HIGH] CWE-862 CVE-2020-26832: SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_71 SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing a

CVE-2020-6188 [HIGH] CWE-862 CVE-2020-6188: VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN ver VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.