Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and modify value fields, which will mislead risk evaluations and falsely lower assessed risk levels. This results in a low impact on the confidentiality and integrity of the data. There is no impact on the application�s availability.
AnalysisAI
Missing authorization checks in SAP Strategic Enterprise Management's Scorecard Wizard (Business Server Pages application) allow authenticated users to access restricted information and modify risk evaluation settings without proper authorization. An attacker with valid credentials can view confidential data and alter default configuration values, artificially reducing assessed risk levels to deceive risk assessment processes. No patch availability or active exploitation has been confirmed.
Technical ContextAI
SAP Strategic Enterprise Management (SEM) is an enterprise software platform for financial consolidation, planning, and risk management. The vulnerability exists in the Scorecard Wizard component, a Business Server Pages (BSP) application within SEM's balanced scorecard functionality. BSP is SAP's proprietary web application technology built on top of the ABAP runtime environment. The root cause is CWE-862 (Missing Authorization), indicating the application fails to enforce proper access control checks before allowing users to retrieve sensitive information or modify configuration parameters. The vulnerability affects all versions of the affected CPE string, suggesting a systemic authorization gap rather than a version-specific flaw.
RemediationAI
Contact SAP Support immediately and consult SAP Security Patch Day (https://url.sap/sapsecuritypatchday) and SAP Note 3721959 (https://me.sap.com/notes/3721959) for the appropriate patched SEM version for your deployment. No specific patch version number is confirmed in available data at time of analysis. As interim compensating controls pending patch deployment, restrict access to the Scorecard Wizard component at the network level using firewall or reverse proxy rules to limit exposure to only authorized personnel; audit access logs for unauthorized attempts to view or modify scorecard settings; and implement role-based access control (RBAC) segregation to ensure users cannot access scorecard data outside their assigned business unit or function. These controls do not remediate the underlying authorization flaw but reduce exposure window. Request SAP for specific ABAP role restrictions or BSP URL path exclusions applicable to your SEM version.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29362
GHSA-j2qh-793j-f8hc