CVE-2019-0344

Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.

CVE-2024-33003

Some OCC API endpoints in SAP Commerce Cloudallows Personally Identifiable Information (PII) data, such as passwords, emailaddresses, mobile numbers, coupon codes, and voucher codes, to be included inthe request URL as query or path parameters. On successful exploitation, thiscould lead to a High i...

CVE-2023-39439

SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

CVE-2020-6238

SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.