Description
SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.
Published: 2026-01-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Limited confidentiality exposure – non‑sensitive data accessed by low‑privilege users
Action: Assess Impact
AI Analysis

Impact

The vulnerability in the SAP Product Designer Web UI is a missing authorization check (CWE‑862) that permits any authenticated non‑administrative user to view non‑sensitive information. This results in a modest confidentiality breach, with no impact on the integrity or availability of the application.

Affected Systems

Affected systems include SAP's Business Server Pages Application (Product Designer Web UI). Version details are not specified in the provided data.

Risk and Exploitability

The CVSS score is 4.3, placing the risk in the low category, and the EPSS score is below 1%, indicating a minimal likelihood of exploitation. The vulnerability is not listed in the KEV catalog. Exploitation requires a legitimate user account that is not an administrator, suggesting that an attacker would need valid credentials or an existing user account to access the exposed data.

Generated by OpenCVE AI on April 18, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SAP security patch identified in note 3677111 or any newer fix for Business Server Pages Application (Product Designer Web UI).
  • Verify that role‑based access controls are correctly configured so that only authorized users can view the attacker‑controlled web interface.
  • Conduct a review of user accounts and permissions to ensure that non‑administrative roles do not have unnecessary access to the Product Designer Web UI.

Generated by OpenCVE AI on April 18, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Sap
Sap business Server Pages Application
Vendors & Products Sap
Sap business Server Pages Application

Tue, 13 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application.
Title Missing Authorization check in Business Server Pages Application (Product Designer Web UI)
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Sap Business Server Pages Application
cve-icon MITRE

Status: PUBLISHED

Assigner: sap

Published:

Updated: 2026-01-13T15:15:00.816Z

Reserved: 2025-12-09T22:06:39.003Z

Link: CVE-2026-0497

cve-icon Vulnrichment

Updated: 2026-01-13T15:14:57.469Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T02:15:52.150

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:00:11Z

Weaknesses