Page 4 of 20 results (0.003 seconds)

CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0

The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting. SAP Commerce (Testweb Extension), versiones 6.6, 6.7, 1808, 1811, 1905, no codifica suficientemente las entradas controladas por el usuario, debido a que determinados parámetros GET URL son reflejados en las respuestas HTTP sin escape y saneamiento, conllevando a un ataque de tipo Cross Site Scripting Reflejado. • https://launchpad.support.sap.com/#/notes/2876813 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0

The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework. SAP Commerce (SmartEdit Extension), versiones 6.6, 6.7, 1808, 1811, es vulnerable a una inyección de plantilla angularjs del lado del cliente, una variante de tipo Cross-Site-Scripting (XSS) que explota las instalaciones de plantillas del framework angular. • https://launchpad.support.sap.com/#/notes/2876413 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 28%CPEs: 7EXPL: 0

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. Debido a una deserialización no confiable usada en SAP Commerce Cloud (virtualjdbc extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, es posible ejecutar código arbitrario en una máquina de destino con derechos de usuario 'Hybris', resultando en Inyección de Código. SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. • https://launchpad.support.sap.com/#/notes/2786035 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-502: Deserialization of Untrusted Data •

CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0

SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application. SAP Commerce Cloud (Mediaconversion Extension), versiones 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, permite a un usuario autenticado de Backoffice/HMC inyectar código que puede ser ejecutado por la aplicación, conllevando a la Inyección de Código. De este modo, un atacante podría controlar el comportamiento de la aplicación. • https://launchpad.support.sap.com/#/notes/2786035 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523998017 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0

SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. SAP Commerce Cloud (anteriormente conocido como SAP Hybris Commerce), (HY_COM, versiones 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), permite que un atacante impida a los usuarios legítimos acceder a un servicio, ya sea bloqueando o inundando el servicio . • http://www.securityfocus.com/bid/109076 https://launchpad.support.sap.com/#/notes/2781873 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=523994575 •