CVE-2023-42481

Summary

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Commerce CloudHY_COM 1905affected
SAP_SESAP Commerce CloudHY_COM 2005affected
SAP_SESAP Commerce CloudHY_COM2105affected
SAP_SESAP Commerce CloudHY_COM 2011affected
SAP_SESAP Commerce CloudHY_COM 2205affected
SAP_SESAP Commerce CloudCOM_CLOUD 2211affected

Weaknesses

  • CWE-640: CWE-640: Weak Password Recovery Mechanism for Forgotten Password

ADP Enrichment

CVE Program Container

Additional References

References