Description
The selection query in SAP Treasury and Risk Management (Transaction Management) (EA-FINSERV?versions 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104) returns more records than it should be when selecting and displaying the contract number, leading to Missing Authorization Check.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2841874
Scores
CVSS v3
4.3
EPSS
0.0023
EPSS Percentile
45.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (13)
sap/treasury_and_risk_management_\(ea-finserv\)
600
sap/treasury_and_risk_management_\(ea-finserv\)
603
sap/treasury_and_risk_management_\(ea-finserv\)
604
sap/treasury_and_risk_management_\(ea-finserv\)
605
sap/treasury_and_risk_management_\(ea-finserv\)
606
sap/treasury_and_risk_management_\(ea-finserv\)
616
sap/treasury_and_risk_management_\(ea-finserv\)
617
sap/treasury_and_risk_management_\(ea-finserv\)
618
sap/treasury_and_risk_management_\(ea-finserv\)
800
sap/treasury_and_risk_management_\(s4core\)
101
... and 3 more
Published
Mar 10, 2020
Tracked Since
Feb 18, 2026