Vulnerabilites related to sap - commerce_backoffice
cve-2024-41735
Vulnerability from cvelistv5
Published
2024-08-13 03:49
Modified
2024-08-13 14:44
Severity ?
EPSS score ?
Summary
SAP Commerce Backoffice does not sufficiently
encode user-controlled inputs, resulting in Cross-Site Scripting (XSS)
vulnerability causing low impact on confidentiality and integrity of the
application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce Backoffice |
Version: HY_COM 2205 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-41735", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-13T14:44:14.587212Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-13T14:44:24.355Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Commerce Backoffice", vendor: "SAP_SE", versions: [ { status: "affected", version: "HY_COM 2205", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SAP Commerce Backoffice does not sufficiently\nencode user-controlled inputs, resulting in Cross-Site Scripting (XSS)\nvulnerability causing low impact on confidentiality and integrity of the\napplication.", }, ], value: "SAP Commerce Backoffice does not sufficiently\nencode user-controlled inputs, resulting in Cross-Site Scripting (XSS)\nvulnerability causing low impact on confidentiality and integrity of the\napplication.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-13T03:49:48.215Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3483256", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-41735", datePublished: "2024-08-13T03:49:48.215Z", dateReserved: "2024-07-22T08:06:52.677Z", dateUpdated: "2024-08-13T14:44:24.355Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-45278
Vulnerability from cvelistv5
Published
2024-10-08 03:21
Modified
2024-10-08 13:57
Severity ?
EPSS score ?
Summary
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Commerce Backoffice |
Version: HY_COM 2205 Version: COM_CLOUD 2211 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:sap_se:sap_commerce_backoffice:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "sap_commerce_backoffice", vendor: "sap_se", versions: [ { status: "affected", version: "HY_COM 2205", }, { status: "affected", version: "COM_CLOUD 2211", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-45278", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-08T13:54:17.608804Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-08T13:57:27.631Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Commerce Backoffice", vendor: "SAP_SE", versions: [ { status: "affected", version: "HY_COM 2205", }, { status: "affected", version: "COM_CLOUD 2211", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.</p>", }, ], value: "SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79: Improper Neutralization of Input During Web Page Generation", lang: "eng", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-08T03:21:25.904Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3507545", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2024-45278", datePublished: "2024-10-08T03:21:25.904Z", dateReserved: "2024-08-26T10:39:20.931Z", dateUpdated: "2024-10-08T13:57:27.631Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2024-08-13 04:15
Modified
2024-09-12 13:53
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP Commerce Backoffice does not sufficiently
encode user-controlled inputs, resulting in Cross-Site Scripting (XSS)
vulnerability causing low impact on confidentiality and integrity of the
application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3483256 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | commerce_backoffice | hy_com_2205 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:commerce_backoffice:hy_com_2205:*:*:*:*:*:*:*", matchCriteriaId: "BDC3D015-A14B-416E-9E67-81B59E581ACC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP Commerce Backoffice does not sufficiently\nencode user-controlled inputs, resulting in Cross-Site Scripting (XSS)\nvulnerability causing low impact on confidentiality and integrity of the\napplication.", }, { lang: "es", value: "SAP Commerce Backoffice no codifica suficientemente las entradas controladas por el usuario, lo que genera una vulnerabilidad de Cross-Site Scripting (XSS) que causa un bajo impacto en la confidencialidad y la integridad de la aplicación.", }, ], id: "CVE-2024-41735", lastModified: "2024-09-12T13:53:32.993", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-13T04:15:09.323", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3483256", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-10-08 04:15
Modified
2024-11-14 17:17
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cna@sap.com | https://me.sap.com/notes/3507545 | Permissions Required | |
| cna@sap.com | https://url.sap/sapsecuritypatchday | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| sap | commerce_backoffice | 2205 | |
| sap | commerce_backoffice | 2211 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:sap:commerce_backoffice:2205:*:*:*:*:*:*:*", matchCriteriaId: "5F2AFF4D-0AEA-4A86-A9C8-DF4A4CE88C4C", vulnerable: true, }, { criteria: "cpe:2.3:a:sap:commerce_backoffice:2211:*:*:*:*:*:*:*", matchCriteriaId: "3F9EAF0D-6C5D-48BB-B0AB-8E72AE48EBDB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.", }, { lang: "es", value: "SAP Commerce Backoffice no codifica lo suficiente las entradas controladas por el usuario, lo que genera una vulnerabilidad de tipo Cross-Site Scripting (XSS). Después de una explotación exitosa, un atacante puede causar un impacto limitado en la confidencialidad e integridad de la aplicación.", }, ], id: "CVE-2024-45278", lastModified: "2024-11-14T17:17:12.640", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "cna@sap.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-10-08T04:15:08.400", references: [ { source: "cna@sap.com", tags: [ "Permissions Required", ], url: "https://me.sap.com/notes/3507545", }, { source: "cna@sap.com", tags: [ "Vendor Advisory", ], url: "https://url.sap/sapsecuritypatchday", }, ], sourceIdentifier: "cna@sap.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "cna@sap.com", type: "Primary", }, ], }