Vulnerabilites related to SAP_SE - SAP Commerce
cve-2024-41733
Vulnerability from cvelistv5
Published
2024-08-13 03:52
Modified
2024-08-13 14:48
Severity ?
EPSS score ?
Summary
In SAP Commerce, valid user accounts can be
identified during the customer registration and login processes. This allows a
potential attacker to learn if a given e-mail is used for an account, but does
not grant access to any customer data beyond this knowledge. The attacker must
already know the e-mail that they wish to test for. The impact on
confidentiality therefore is low and no impact to integrity or availability
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce |
Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2211"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_hycom:2205:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_hycom",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2205"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41733",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T14:36:37.582079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:48:19.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Commerce",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HY_COM 2205"
},
{
"status": "affected",
"version": "COM_CLOUD 2211"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In SAP Commerce, valid user accounts can be\nidentified during the customer registration and login processes. This allows a\npotential attacker to learn if a given e-mail is used for an account, but does\nnot grant access to any customer data beyond this knowledge. The attacker must\nalready know the e-mail that they wish to test for. The impact on\nconfidentiality therefore is low and no impact to integrity or availability"
}
],
"value": "In SAP Commerce, valid user accounts can be\nidentified during the customer registration and login processes. This allows a\npotential attacker to learn if a given e-mail is used for an account, but does\nnot grant access to any customer data beyond this knowledge. The attacker must\nalready know the e-mail that they wish to test for. The impact on\nconfidentiality therefore is low and no impact to integrity or availability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T03:52:25.523Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3471450"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Information Disclosure Vulnerability in SAP Commerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-41733",
"datePublished": "2024-08-13T03:52:25.523Z",
"dateReserved": "2024-07-22T08:06:52.676Z",
"dateUpdated": "2024-08-13T14:48:19.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-39439
Vulnerability from cvelistv5
Published
2023-08-08 00:49
Modified
2024-09-28 22:08
Severity ?
EPSS score ?
Summary
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce |
Version: HY_COM 2105 Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T18:10:20.432Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3346500"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Commerce",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HY_COM 2105"
},
{
"status": "affected",
"version": "HY_COM 2205"
},
{
"status": "affected",
"version": "COM_CLOUD 2211"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.\u003c/p\u003e"
}
],
"value": "SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-258",
"description": "CWE-258: Empty Password in Configuration File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:08:55.861Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3346500"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SAP Commerce accepts empty passphrases.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-39439",
"datePublished": "2023-08-08T00:49:01.594Z",
"dateReserved": "2023-08-01T21:49:02.688Z",
"dateUpdated": "2024-09-28T22:08:55.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-24875
Vulnerability from cvelistv5
Published
2025-02-11 00:37
Modified
2025-02-18 18:05
Severity ?
EPSS score ?
Summary
SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce |
Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24875",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T05:46:21.384763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:05:00.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Commerce",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HY_COM 2205"
},
{
"status": "affected",
"version": "COM_CLOUD 2211"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.\u003c/p\u003e"
}
],
"value": "SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "eng",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T00:37:32.280Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3555364"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SameSite Defense in Depth not applied for some cookies in SAP Commerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2025-24875",
"datePublished": "2025-02-11T00:37:32.280Z",
"dateReserved": "2025-01-27T08:57:48.545Z",
"dateUpdated": "2025-02-18T18:05:00.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-39597
Vulnerability from cvelistv5
Published
2024-07-09 03:48
Modified
2024-08-02 04:26
Severity ?
EPSS score ?
Summary
In SAP Commerce, a user can misuse the forgotten
password functionality to gain access to a Composable Storefront B2B site for
which early login and registration is activated, without requiring the merchant
to approve the account beforehand. If the site is not configured as isolated
site, this can also grant access to other non-isolated early login sites, even
if registration is not enabled for those other sites.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce |
Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:sap:commerce_hycom:2205:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_hycom",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2205"
}
]
},
{
"cpes": [
"cpe:2.3:a:sap:commerce_cloud:2211:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "commerce_cloud",
"vendor": "sap",
"versions": [
{
"status": "affected",
"version": "2211"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39597",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T16:16:45.901701Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T16:20:38.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:26:15.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://url.sap/sapsecuritypatchday"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3490515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP Commerce",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "HY_COM 2205"
},
{
"status": "affected",
"version": "COM_CLOUD 2211"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In SAP Commerce, a user can misuse the forgotten\npassword functionality to gain access to a Composable Storefront B2B site for\nwhich early login and registration is activated, without requiring the merchant\nto approve the account beforehand. If the site is not configured as isolated\nsite, this can also grant access to other non-isolated early login sites, even\nif registration is not enabled for those other sites.\n\n\n\n"
}
],
"value": "In SAP Commerce, a user can misuse the forgotten\npassword functionality to gain access to a Composable Storefront B2B site for\nwhich early login and registration is activated, without requiring the merchant\nto approve the account beforehand. If the site is not configured as isolated\nsite, this can also grant access to other non-isolated early login sites, even\nif registration is not enabled for those other sites."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T03:48:11.488Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://url.sap/sapsecuritypatchday"
},
{
"url": "https://me.sap.com/notes/3490515"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-39597",
"datePublished": "2024-07-09T03:48:11.488Z",
"dateReserved": "2024-06-26T09:58:24.095Z",
"dateUpdated": "2024-08-02T04:26:15.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}