CVE-2020-6273

Name of the Vulnerable Software and Affected Versions SAP S/4 HANA (Fiori UI for General Ledger Accounting) versions 103, 104 SAP Business Objects Business Intelligence Platform (affected versions not specified)

Description The issue concerns a missing authorization check in the attachment service, allowing an authenticated user to delete attachments. Additionally, there is a problem with the protection of the web page structure in the SAP Business Objects Business Intelligence Platform, which can be exploited to conduct XSS attacks.

Recommendations For SAP S/4 HANA (Fiori UI for General Ledger Accounting) versions 103, 104: Consider restricting access to the attachment service until a proper authorization check is implemented. For SAP Business Objects Business Intelligence Platform: Restrict access to the vulnerable web page structure to minimize the risk of XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.