CVE-2022-41204

2022-10-1121:15:26

CWE-601

[email protected]

web.nvd.nist.gov

sap commerce

manipulation

vulnerability

credentials

hijack

confidentiality

integrity

availability

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

60.5%

JSON

An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system.

Affected configurations

Nvd

Node

sapcommerceMatch1905

sapcommerceMatch2005

sapcommerceMatch2011

sapcommerceMatch2105

sapcommerceMatch2205

VendorProductVersionCPE
sapcommerce1905cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:*
sapcommerce2005cpe:2.3:a:sap:commerce:2005:*:*:*:*:*:*:*
sapcommerce2011cpe:2.3:a:sap:commerce:2011:*:*:*:*:*:*:*
sapcommerce2105cpe:2.3:a:sap:commerce:2105:*:*:*:*:*:*:*
sapcommerce2205cpe:2.3:a:sap:commerce:2205:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	commerce	1905	cpe:2.3:a:sap:commerce:1905:::::::*
sap	commerce	2005	cpe:2.3:a:sap:commerce:2005:::::::*
sap	commerce	2011	cpe:2.3:a:sap:commerce:2011:::::::*
sap	commerce	2105	cpe:2.3:a:sap:commerce:2105:::::::*
sap	commerce	2205	cpe:2.3:a:sap:commerce:2205:::::::*