CVE-2024-47577

EPSS 0.07%
Published 10.12.2024 01:15:05
Last modified 10.12.2024 01:15:05
Source cna@sap.com
Teams watchlist Login
Open Login

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.

Affected products Warnungen 0 Metrics 2 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorSAP_SE

≫

Product SAP Commerce Cloud

Default Statusunaffected

Version HY_COM 2205

Status affected

Version COM_CLOUD 2211

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.206

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cna@sap.com	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CWE-319 Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3535451

https://nvd.nist.gov/vuln/detail/CVE-2024-47577

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47577

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47577

EUVD