SAP

Commerce Cloud

19 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.8

CVE-2025-24875

  • EPSS 0.03%
  • Published 11.02.2025 01:15:11
  • Last modified 18.02.2025 18:15:34

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and m...

2.7

CVE-2024-47577

  • EPSS 0.07%
  • Published 10.12.2024 01:15:05
  • Last modified 10.12.2024 01:15:05

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorde...

9.1

CVE-2024-33003

  • EPSS 0.49%
  • Published 13.08.2024 04:15:07
  • Last modified 16.09.2024 16:22:07

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On...

7.2

CVE-2024-39597

  • EPSS 0.1%
  • Published 09.07.2024 04:15:13
  • Last modified 21.11.2024 09:28:05

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the s...

8.1

CVE-2023-42481

  • EPSS 0.08%
  • Published 12.12.2023 01:15:11
  • Last modified 21.11.2024 08:22:38

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce C...

9.8

CVE-2023-39439

  • EPSS 0.3%
  • Published 08.08.2023 01:15:19
  • Last modified 21.11.2024 08:15:25

SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

7.5

CVE-2023-37486

  • EPSS 0.14%
  • Published 08.08.2023 01:15:17
  • Last modified 21.11.2024 08:11:48

Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on con...

6.1

CVE-2021-33666

  • EPSS 0.15%
  • Published 09.06.2021 14:15:10
  • Last modified 21.11.2024 06:09:19

When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation.

5.4

CVE-2021-21445

  • EPSS 0.18%
  • Published 12.01.2021 15:15:14
  • Last modified 21.11.2024 05:48:23

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user. A successful exploitation of...

5.3

CVE-2020-26809

Exploit
  • EPSS 0.26%
  • Published 10.11.2020 17:15:13
  • Last modified 21.11.2024 05:20:19

SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. This folder could contain sensitive files that resu...