Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
9.8CVSS
9.7AI Score
0.003EPSS
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.
9.3CVSS
9AI Score
0.003EPSS
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
9.8CVSS
9.2AI Score
0.002EPSS
Some OCC API endpoints in SAP Commerce Cloudallows Personally Identifiable Information (PII) data, such as passwords, emailaddresses, mobile numbers, coupon codes, and voucher codes, to be included inthe request URL as query or path parameters. On successful exploitation, thiscould lead to a High i...
9.1CVSS
7.4AI Score
0.001EPSS