CVE-2023-24528 MEDIUM

CVE-2023-24528

Vendor Sap

Product Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests)

Weakness CWE-862 · Missing authorization

Published February 14, 2023

Last update March 20, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

SAP Fiori apps for Travel Management in SAP ERP (My Travel Requests) - version 600, allows an authenticated attacker to exploit a certain misconfigured application endpoint to view sensitive data. This endpoint is normally exposed over the network and successful exploitation can lead to exposure of data like travel documents.

Key dates

02Disclosure timeline

February 14, 2023 CVE published

March 20, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-24528 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2026-39569 WordPress 12 Step Meeting List plugin <= 3.19.9 - Broken Access Control vulnerability CVE-2025-58601 WordPress Classified Listing Plugin <= 5.0.6 - Broken Access Control Vulnerability CVE-2025-5919 Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification CVE-2025-23656 WordPress Donate visa plugin <= 1.0.0 - Stored Cross Site Scripting (XSS) vulnerability CVE-2022-3337 Lock WARP switch bypass by removing VPN profile on iOS mobile client

Identifiers

CVE CVE-2023-24528

CWE CWE-862

CVSS 6.5 / MEDIUM

Affected versions

Vendor Sap

Product Fiori apps 1.0 for travel management in SAP ERP (My Travel Requests)

Affected 600