CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6264
https://notcve.org/view.php?id=CVE-2020-6264
10 Jun 2020 — SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure. SAP Commerce, versiones - 6.7, 1808, 1811, 1905, puede permitir a un atacante acceder a la información bajo determinadas condiciones que de otro modo estarían restringidas, conllevando a una Divulgación de Información • https://launchpad.support.sap.com/#/notes/2906366 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2020-6265
https://notcve.org/view.php?id=CVE-2020-6265
09 Jun 2020 — SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials. SAP Commerce, versiones - 6.7, 1808, 1811, 1905, y SAP Commerce (Data Hub), versiones - 6.7, 1808, 1811, 1905, permite a un atacante omitir una autenticación y/o autorización configurada por el administrador del sistema debido al uso de C... • https://launchpad.support.sap.com/#/notes/2918924 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6238
https://notcve.org/view.php?id=CVE-2020-6238
14 Apr 2020 — SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce. SAP Commerce, versiones 6.6, 6.7, 1808, 1811, 1905, no procesa una entrada XML de forma segura en la API Rest del Servlet xyformsweb, conllevando a una Falta de Comprobación XML. Esto afecta la confidencialidad y la disponibilidad (parcialmente) de SAP Commerce. • https://launchpad.support.sap.com/#/notes/2904480 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2020-6201
https://notcve.org/view.php?id=CVE-2020-6201
10 Mar 2020 — The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting. SAP Commerce (Testweb Extension), versiones 6.6, 6.7, 1808, 1811, 1905, no codifica suficientemente las entradas controladas por el usuario, debido a que determinados parámetros GET URL son reflejados en las respuestas HTTP sin escap... • https://launchpad.support.sap.com/#/notes/2876813 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2020-6200
https://notcve.org/view.php?id=CVE-2020-6200
10 Mar 2020 — The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework. SAP Commerce (SmartEdit Extension), versiones 6.6, 6.7, 1808, 1811, es vulnerable a una inyección de plantilla angularjs del lado del cliente, una variante de tipo Cross-Site-Scripting (XSS) que explota las instalaciones de plantillas del framework angular. • https://launchpad.support.sap.com/#/notes/2876413 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 28%CPEs: 7EXPL: 0CVE-2019-0344 – SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability
https://notcve.org/view.php?id=CVE-2019-0344
14 Aug 2019 — Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. Debido a una deserialización no confiable usada en SAP Commerce Cloud (virtualjdbc extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, es posible ejecutar código arbitrario en una máquina de destino con derechos de usuario 'Hybris', resultando en Inyección d... • https://launchpad.support.sap.com/#/notes/2786035 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0343
https://notcve.org/view.php?id=CVE-2019-0343
14 Aug 2019 — SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. SAP Commerce Cloud (Mediaconversion Extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, permite a un usuario autenticado de Backoffice/HMC inyectar código que puede ser ejecutado por la aplicación, conllevando a la ... • https://launchpad.support.sap.com/#/notes/2786035 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-0322
https://notcve.org/view.php?id=CVE-2019-0322
10 Jul 2019 — SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. SAP Commerce Cloud (anteriormente conocido como SAP Hybris Commerce), (HY_COM, versiones 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), permite que un atacante impida a los usuarios legítimos acceder a un servicio, ya sea bloqueando o inundando el servicio . • http://www.securityfocus.com/bid/109076 •