The vulnerability arises from a missing authorization check within the Scorecard Wizard component of SAP Strategic Enterprise Management. An attacker who has authenticated successfully can read data that should not be available to them and alter default settings and value fields, leading to distorted risk assessments and falsely lowered risk levels. The defect results in a low impact on the confidentiality and integrity of the data, with no effect on the availability of the application.

The affected product is SAP Strategic Enterprise Management, specifically the Balanced Scorecard Wizard module on Business Server Pages. No specific version information is provided, so all installations of this module may be vulnerable until a patch is applied.

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated attacker who has valid credentials. Because the flaw permits information disclosure and configuration changes, the damage a determined adversary can cause is limited to confidentiality and integrity degradation rather than a full compromise. Given the moderate CVSS score and the lack of exploit probability data, the overall risk is moderate but the potential for misrepresenting risk levels remains a concern for organizations relying on accurate risk evaluations.