10 matches found
CVE-2021-27602
CVE-2021-27602 affects SAP Commerce Backoffice in versions 1808, 1811, 1905, 2005, 2011. The backoffice allows certain authorized users to create source rules, which are translated to Drools rules when published to certain modules. The vulnerability arises when an attacker with this authorization...
CVE-2022-41204
CVE-2022-41204 affects SAP Commerce versions 1905–2205 and targets the login page. A manipulated URL can inject client-side code to change the login form submission, redirecting data to an attacker-controlled server. This enables credential theft and account hijacking, impacting confidentiality, ...
CVE-2024-41733
Concrete details from connected sources confirm a candidate vulnerability in SAP Commerce: an information-disclosure issue that allows an attacker to determine whether a given email is associated with a valid user account during registration or login. The impact is confined to confidentiality (lo...
CVE-2021-40502
CVE-2021-40502 affects SAP Commerce versions 2105.3, 2011.13, 2005.18, and 1905.34. The issue stems from missing authorization checks for an authenticated user, enabling privilege escalation to access and edit data from B2B units the user does not belong to. The NVD entry lists CVSS v3.1 base sco...
CVE-2021-42064
SAP Commerce (versions 1905, 2005, 2105, 2011) is vulnerable when configured to use Oracle DB and a query is built with the Flexible Search Java API using a parameterized IN clause that accepts more than 1000 values. The root cause is not explicitly described beyond this parameterized IN clause b...
CVE-2021-21477
CVE-2021-21477 affects SAP Commerce Cloud versions 1808, 1811, 1905, 2005 and 2011. A misconfiguration of default user permissions lets certain users with required privileges edit DroolsRule ruleContents, enabling injection of malicious code that leads to Remote Code Execution and impacts confide...
CVE-2020-6265
CVE-2020-6265 concerns SAP Commerce and SAP Commerce (Data Hub) prior to patched builds. Affected versions include SAP Commerce 6.7, 1808, 1811, 1905 and SAP Commerce (Data Hub) 6.7, 1808, 1811, 1905. The issue arises from the use of hardcoded credentials, allowing an attacker to bypass authentic...
CVE-2021-27619
The CVE-2021-27619 issue affects SAP Commerce (Backoffice Search) and is present in versions 1808, 1811, 1905, 2005, and 2011. A low-privilege user can perform a masked attribute search and, by iteratively entering one character at a time, infer the actual value of masked attributes, resulting in...
CVE-2020-6302
CVE-2020-6302 affects SAP Commerce versions 6.7, 1808, 1811, 1905 and 2005. The backoffice URL exposes the jSession ID on initial load, enabling session fixation with potential access to admin accounts and full compromise of confidentiality, integrity, and availability. Red Hat notes the same CVE...
CVE-2020-6264
SAP Commerce (versions 6.7, 1808, 1811, 1905) is affected by an information-disclosure vulnerability. The available connected sources indicate an attacker could access information that should be restricted under certain conditions. The exact root cause, vulnerable component/file, exploit details,...