CVE-2022-29613
MEDIUMSAP Employee Self Service - Authenticated Employee Number Tampering via Insufficient Input Validation
Title source: llmDescription
Due to insufficient input validation, SAP Employee Self Service allows an authenticated attacker with user privileges to alter employee number. On successful exploitation, the attacker can view personal details of other users causing a limited impact on confidentiality of the application.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/3164677
Scores
CVSS v3
4.3
EPSS
0.0041
EPSS Percentile
61.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-20
Status
published
Products (1)
sap/employee_self_service
605
Published
May 11, 2022
Tracked Since
Feb 18, 2026