{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0497", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-12-09T22:06:39.003Z", "datePublished": "2026-01-13T01:13:35.718Z", "dateUpdated": "2026-01-13T15:15:00.816Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Business Server Pages Application (Product Designer Web UI)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_APPL 618"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}, {"status": "affected", "version": "617"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.</p>"}], "value": "SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-01-13T01:13:35.718Z"}, "references": [{"url": "https://me.sap.com/notes/3677111"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization check in Business Server Pages Application (Product Designer Web UI)", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T15:14:54.400127Z", "id": "CVE-2026-0497", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T15:15:00.816Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-13T15:14:54.400127Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T15:14:57.469Z"}}], "cna": {"title": "Missing Authorization check in Business Server Pages Application (Product Designer Web UI)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "Business Server Pages Application (Product Designer Web UI)", "versions": [{"status": "affected", "version": "SAP_APPL 618"}, {"status": "affected", "version": "S4CORE 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "109"}, {"status": "affected", "version": "EA-APPL 600"}, {"status": "affected", "version": "602"}, {"status": "affected", "version": "603"}, {"status": "affected", "version": "604"}, {"status": "affected", "version": "605"}, {"status": "affected", "version": "606"}, {"status": "affected", "version": "617"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3677111"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.", "supportingMedia": [{"type": "text/html", "value": "<p>SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2026-01-13T01:13:35.718Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0497", "state": "PUBLISHED", "dateUpdated": "2026-01-13T15:15:00.816Z", "dateReserved": "2025-12-09T22:06:39.003Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2026-01-13T01:13:35.718Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application."}, {"lang": "es", "value": "La Interfaz de usuario web de SAP Product Designer de P\u00e1ginas de Servidor de Negocio permite a usuarios autenticados no administrativos acceder a informaci\u00f3n no sensible. Esto resulta en un impacto bajo en la confidencialidad, sin impacto en la integridad o disponibilidad de la aplicaci\u00f3n."}], "id": "CVE-2026-0497", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@sap.com", "type": "Primary"}]}, "published": "2026-01-13T02:15:52.150", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3677111"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T06:50:47.635471+00:00", "value": {"mitigation_remediation": ["Apply the SAP security patch identified in note 3677111 or any newer fix for Business Server Pages Application (Product Designer Web UI).", "Verify that role\u2011based access controls are correctly configured so that only authorized users can view the attacker\u2011controlled web interface.", "Conduct a review of user accounts and permissions to ensure that non\u2011administrative roles do not have unnecessary access to the Product Designer Web UI."], "summary": {"action": "Assess Impact", "impact": "Limited confidentiality exposure \u2013 non\u2011sensitive data accessed by low\u2011privilege users"}, "threat_synthesis": {"affected_systems": "Affected systems include SAP's Business Server Pages Application (Product Designer Web UI). Version details are not specified in the provided data.", "description_and_impact": "The vulnerability in the SAP Product Designer Web UI is a missing authorization check (CWE\u2011862) that permits any authenticated non\u2011administrative user to view non\u2011sensitive information. This results in a modest confidentiality breach, with no impact on the integrity or availability of the application.", "risk_and_exploitability": "The CVSS score is 4.3, placing the risk in the low category, and the EPSS score is below 1%, indicating a minimal likelihood of exploitation. The vulnerability is not listed in the KEV catalog. Exploitation requires a legitimate user account that is not an administrator, suggesting that an attacker would need valid credentials or an existing user account to access the exposed data."}}}}, "created": "2026-01-13T09:27:05.138975+00:00", "updated": "2026-04-18T07:00:11.344437+00:00", "vendors": ["sap", "sap$PRODUCT$business_server_pages_application"]}