Search criteria
12 vulnerabilities found for SAP Fiori App (Intercompany Balance Reconciliation) by SAP_SE
CVE-2026-23683 (GCVE-0-2026-23683)
Vulnerability from nvd – Published: 2026-01-27 00:22 – Updated: 2026-01-28 04:55
VLAI?
Title
Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
S4CORE 102
Affected: 103 Affected: 104 Affected: 105 Affected: 106 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T04:55:17.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T00:22:13.153Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3122486"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-23683",
"datePublished": "2026-01-27T00:22:13.153Z",
"dateReserved": "2026-01-14T18:26:17.297Z",
"dateUpdated": "2026-01-28T04:55:17.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0511 (GCVE-0-2026-0511)
Vulnerability from nvd – Published: 2026-01-13 01:15 – Updated: 2026-01-14 04:57
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T04:57:14.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:15:50.942Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0511",
"datePublished": "2026-01-13T01:15:50.942Z",
"dateReserved": "2025-12-09T22:06:50.036Z",
"dateUpdated": "2026-01-14T04:57:14.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0496 (GCVE-0-2026-0496)
Vulnerability from nvd – Published: 2026-01-13 01:13 – Updated: 2026-01-13 15:15
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.
Severity ?
6.6 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T15:15:16.379852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:15:21.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:28.818Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0496",
"datePublished": "2026-01-13T01:13:28.818Z",
"dateReserved": "2025-12-09T22:06:38.258Z",
"dateUpdated": "2026-01-13T15:15:21.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0495 (GCVE-0-2026-0495)
Vulnerability from nvd – Published: 2026-01-13 01:13 – Updated: 2026-01-13 15:15
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
Severity ?
5.1 (Medium)
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T15:15:35.824019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:15:41.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15: External Control of System or Configuration Setting",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:20.999Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0495",
"datePublished": "2026-01-13T01:13:20.999Z",
"dateReserved": "2025-12-09T22:06:37.539Z",
"dateUpdated": "2026-01-13T15:15:41.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0494 (GCVE-0-2026-0494)
Vulnerability from nvd – Published: 2026-01-13 01:13 – Updated: 2026-01-13 16:19
VLAI?
Title
Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
Severity ?
4.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: UIS4H 109 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T16:19:26.654230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T16:19:32.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "UIS4H 109"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:14.370Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3655227"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0494",
"datePublished": "2026-01-13T01:13:14.370Z",
"dateReserved": "2025-12-09T22:06:36.684Z",
"dateUpdated": "2026-01-13T16:19:32.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0493 (GCVE-0-2026-0493)
Vulnerability from nvd – Published: 2026-01-13 01:13 – Updated: 2026-01-13 19:07
VLAI?
Title
Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 Affected: 109 Affected: UIS4H 109 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:12:47.683339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:07:00.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
},
{
"status": "affected",
"version": "109"
},
{
"status": "affected",
"version": "UIS4H 109"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.\u003c/p\u003e"
}
],
"value": "Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:06.863Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3655229"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0493",
"datePublished": "2026-01-13T01:13:06.863Z",
"dateReserved": "2025-12-09T22:06:35.874Z",
"dateUpdated": "2026-01-13T19:07:00.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23683 (GCVE-0-2026-23683)
Vulnerability from cvelistv5 – Published: 2026-01-27 00:22 – Updated: 2026-01-28 04:55
VLAI?
Title
Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
S4CORE 102
Affected: 103 Affected: 104 Affected: 105 Affected: 106 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T04:55:17.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T00:22:13.153Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3122486"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-23683",
"datePublished": "2026-01-27T00:22:13.153Z",
"dateReserved": "2026-01-14T18:26:17.297Z",
"dateUpdated": "2026-01-28T04:55:17.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0511 (GCVE-0-2026-0511)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:15 – Updated: 2026-01-14 04:57
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T04:57:14.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:15:50.942Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0511",
"datePublished": "2026-01-13T01:15:50.942Z",
"dateReserved": "2025-12-09T22:06:50.036Z",
"dateUpdated": "2026-01-14T04:57:14.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0496 (GCVE-0-2026-0496)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-01-13 15:15
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.
Severity ?
6.6 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0496",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T15:15:16.379852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:15:21.939Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to upload any file (including script files) without proper file format validation. This has low impact on confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:28.818Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0496",
"datePublished": "2026-01-13T01:13:28.818Z",
"dateReserved": "2025-12-09T22:06:38.258Z",
"dateUpdated": "2026-01-13T15:15:21.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0495 (GCVE-0-2026-0495)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-01-13 15:15
VLAI?
Title
Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.
Severity ?
5.1 (Medium)
CWE
- CWE-15 - External Control of System or Configuration Setting
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0495",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T15:15:35.824019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T15:15:41.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application.\u003c/p\u003e"
}
],
"value": "SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-15",
"description": "CWE-15: External Control of System or Configuration Setting",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:20.999Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3565506"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Multiple vulnerabilities in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0495",
"datePublished": "2026-01-13T01:13:20.999Z",
"dateReserved": "2025-12-09T22:06:37.539Z",
"dateUpdated": "2026-01-13T15:15:41.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0494 (GCVE-0-2026-0494)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-01-13 16:19
VLAI?
Title
Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.
Severity ?
4.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: UIS4H 109 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T16:19:26.654230Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T16:19:32.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "UIS4H 109"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUnder certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted.\u003c/p\u003e"
}
],
"value": "Under certain conditions SAP Fiori App Intercompany Balance Reconciliation application allows an attacker to access information which would otherwise be restricted. This has low impact on confidentiality of the application, integrity and availability are not impacted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:14.370Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3655227"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0494",
"datePublished": "2026-01-13T01:13:14.370Z",
"dateReserved": "2025-12-09T22:06:36.684Z",
"dateUpdated": "2026-01-13T16:19:32.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0493 (GCVE-0-2026-0493)
Vulnerability from cvelistv5 – Published: 2026-01-13 01:13 – Updated: 2026-01-13 19:07
VLAI?
Title
Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)
Summary
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Fiori App (Intercompany Balance Reconciliation) |
Affected:
UIAPFI70 500
Affected: 600 Affected: 700 Affected: 800 Affected: 900 Affected: 901 Affected: 902 Affected: S4CORE 102 Affected: 103 Affected: 104 Affected: 105 Affected: 106 Affected: 107 Affected: 108 Affected: 109 Affected: UIS4H 109 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0493",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T14:12:47.683339Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T19:07:00.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Fiori App (Intercompany Balance Reconciliation)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "UIAPFI70 500"
},
{
"status": "affected",
"version": "600"
},
{
"status": "affected",
"version": "700"
},
{
"status": "affected",
"version": "800"
},
{
"status": "affected",
"version": "900"
},
{
"status": "affected",
"version": "901"
},
{
"status": "affected",
"version": "902"
},
{
"status": "affected",
"version": "S4CORE 102"
},
{
"status": "affected",
"version": "103"
},
{
"status": "affected",
"version": "104"
},
{
"status": "affected",
"version": "105"
},
{
"status": "affected",
"version": "106"
},
{
"status": "affected",
"version": "107"
},
{
"status": "affected",
"version": "108"
},
{
"status": "affected",
"version": "109"
},
{
"status": "affected",
"version": "UIS4H 109"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDue to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability.\u003c/p\u003e"
}
],
"value": "Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App Intercompany Balance Reconciliation an attacker could execute state?changing actions using an inappropriate request type, this deviation from expected request semantics may allow an attacker to trigger unintended actions on behalf of an authenticated user causing low impact on integrity of the system. This has no impact on confidentiality and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T01:13:06.863Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3655229"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (Intercompany Balance Reconciliation)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2026-0493",
"datePublished": "2026-01-13T01:13:06.863Z",
"dateReserved": "2025-12-09T22:06:35.874Z",
"dateUpdated": "2026-01-13T19:07:00.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}