18 matches found
CVE-2023-37486
Summary : CVE-2023-37486 corresponds to an information-disclosure issue in SAP Commerce (OCC API). The affected components are SAP Commerce Cloud/Hybris with OCC API endpoints HY_COM 2105, HY_COM 2205, and COM_CLOUD 2211. According to the provided documents, under certain conditions these endpoin...
CVE-2019-0344
CVE-2019-0344 affects SAP Commerce Cloud (Hybris) via unsafe deserialization in the virtualjdbc extension, impacting versions 6.4–6.7, 1808, 1811, 1905. This allows arbitrary code execution with Hybris user rights (Code Injection). Connected sources corroborate the vulnerability and its impact. R...
CVE-2019-0322
CVE-2019-0322 affects SAP Commerce Cloud (HY_COM) with versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811. The connected documents describe that an attacker can prevent legitimate users from accessing a service, either by crashing or flooding it, indicating a denial-of-service impact. The root cause is...
CVE-2021-21445
CVE-2021-21445 affects SAP Commerce Cloud releases 1808, 1811, 1905, 2005, and 2011, where an authenticated attacker can cause invalid data to be sent in the HTTP Content-Type header due to input validation issues. This could enable advanced attacks such as cross-site scripting and page hijacking...
CVE-2024-33003
CVE-2024-33003 affects SAP Commerce Cloud via the OCC API Endpoint component. The root issue is that certain OCC API endpoints may include PII (passwords, emails, mobile numbers, coupon/voucher codes) in the request URL as query or path parameters, leading to potential disclosure and integrity im...
CVE-2023-39439
CVE-2023-39439 affects SAP Commerce Cloud. The provided connected documents confirm an empty passphrase is accepted for user ID and passphrase authentication, enabling login without a passphrase. Affected product is SAP Commerce Cloud; the underlying issue is authentication accepting an empty pas...
CVE-2020-6200
SAP Commerce SmartEdit Extension (versions 6.6, 6.7, 1808, 1811) is affected by a client-side AngularJS template injection vulnerability (a type of XSS) in Angular templating facilities. Root cause: improper handling of template data in the client, per the CVE-2020-6200 descriptions. Impact is XS...
CVE-2020-6201
CVE-2020-6201 affects SAP Commerce (Testweb Extension) versions 6.6, 6.7, 1808, 1811, 1905. The vulnerability is a reflected Cross-Site Scripting (XSS) due to insufficient encoding of user-controlled inputs, where certain GET URL parameters are reflected in HTTP responses without proper escaping....
CVE-2020-6272
The CVE-2020-6272 issue affects SAP Commerce Cloud (versions 1808, 1811, 1905, 2005) and arises from insufficient input encoding in web CMS components. The root cause is improper encoding of user inputs, enabling an authenticated and authorized content manager to inject malicious script into seve...
CVE-2020-6363
CVE-2020-6363 affects SAP Commerce Cloud (versions 1808, 1811, 1905, 2005). The root cause is insufficient session expiration: when a user changes their passphrase, active sessions remain valid, enabling reuse of old session credentials by an attacker. Public documents describe the issue but do n...
CVE-2019-0343
CVE-2019-0343 affects SAP Commerce Cloud (Mediaconversion Extension) versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905. The vulnerability arises from an authenticated Backoffice/HMC user being able to inject code that is executed by the application, enabling Code Injection and allowing an attacker to...
CVE-2020-26809
SAP Commerce Cloud (versions 1808, 1811, 1905, 2005) is affected by CVE-2020-26809 where an attacker can bypass authentication/permission checks via the /medias endpoint, gaining access to Secure Media folders and potentially exposing sensitive data. The root cause is not fully detailed beyond th...
CVE-2020-6238
SAP Commerce versions 6.6, 6.7, 1808, 1811, 1905 are affected by an insecure XML input handling flaw in the Rest API (Servlet xyformsweb), causing Missing XML Validation. The vulnerability affects confidentiality and availability (partially). Root cause: unvalidated XML input processing in the Re...
CVE-2021-33666
SAP Commerce Cloud (version 100) when serving a JavaScript storefront is vulnerable to MIME sniffing that could enable an XSS attack or malware proliferation under certain conditions. Root cause appears to be MIME sniffing behavior; no remediation or patch details are provided in the supplied doc...
CVE-2020-6232
CVE-2020-6232 affects SAP Commerce versions 1811 and 1905. Root cause: missing authorization checks for anonymous users; impact is confidentiality of secure media. Connected documents confirm the same details; exploitation methods, affected fixes, or mitigations are not provided in the supplied m...
CVE-2023-42481
CVE-2023-42481 affects SAP Commerce Cloud (HY_COM 1905–2205; COM_CLOUD 2211) where a locked B2B user can abuse the forgotten-password flow to unblock and re-gain access when the Composable Storefront is used. Root cause: weak access controls in the forgotten-password mechanism. Implications: impa...
CVE-2026-24321
CVE-2026-24321 concerns SAP Commerce Cloud, where multiple API endpoints are exposed to unauthenticated users. The issue allows retrieval of information not intended for public access via the front-end. The documented impact is limited to confidentiality (low), with no reported impact to integrit...
CVE-2026-23684
CVE-2026-23684 affects SAP Commerce Cloud. A race condition during cart-operations can cause a cart entry to be created with an erroneous product value, potentially allowing manipulation at checkout and impacting data integrity (I:H, A:N, C:N). CVSS 3.1 base score 5.9 (MEDIUM); attack vector: net...