CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45278 – Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice
https://notcve.org/view.php?id=CVE-2024-45278
08 Oct 2024 — SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. • https://me.sap.com/notes/3507545 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-41733 – Information Disclosure Vulnerability in SAP Commerce
https://notcve.org/view.php?id=CVE-2024-41733
13 Aug 2024 — In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on confidentiality therefore is low and no impact to integrity or availability In SAP Commerce, valid user accounts can be identified during the customer registration a... • https://me.sap.com/notes/3471450 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41735 – Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice
https://notcve.org/view.php?id=CVE-2024-41735
13 Aug 2024 — SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application. SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application. • https://me.sap.com/notes/3483256 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-33003 – Information Disclosure Vulnerability in SAP Commerce Cloud
https://notcve.org/view.php?id=CVE-2024-33003
13 Aug 2024 — Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application. Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers... • https://me.sap.com/notes/3459935 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39597 – [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
https://notcve.org/view.php?id=CVE-2024-39597
09 Jul 2024 — In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. En SAP Commerce, un usuario puede hacer un mal uso de la funcionalidad de contraseña olvidada p... • https://me.sap.com/notes/3490515 • CWE-285: Improper Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42481 – Improper Access Control vulnerability in SAP Commerce Cloud
https://notcve.org/view.php?id=CVE-2023-42481
12 Dec 2023 — In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity. En SAP Commerce Cloud - versiones HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_... • https://me.sap.com/notes/3394567 • CWE-284: Improper Access Control CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-37486 – Information Disclosure vulnerability in SAP Commerce (OCC API)
https://notcve.org/view.php?id=CVE-2023-37486
08 Aug 2023 — Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact on integrity and availability of the application. Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restrict... • https://me.sap.com/notes/3341934 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-524: Use of Cache Containing Sensitive Information •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-39439 – SAP Commerce accepts empty passphrases.
https://notcve.org/view.php?id=CVE-2023-39439
08 Aug 2023 — SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. • https://me.sap.com/notes/3346500 • CWE-258: Empty Password in Configuration File CWE-1390: Weak Authentication •
CVSS: 8.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41266
https://notcve.org/view.php?id=CVE-2022-41266
13 Dec 2022 — Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce. Debido a la falta de una validación de entrada adecuada, SAP Commerce Webservices 2.0 (Swagger UI... • https://launchpad.support.sap.com/#/notes/3248255 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41204
https://notcve.org/view.php?id=CVE-2022-41204
11 Oct 2022 — An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system. Un atacante puede cambiar el contenido de una página de inicio de sesión de SAP Commerce - versiones 1905, ... • https://launchpad.support.sap.com/#/notes/3239152 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •