CVE-2024-33003
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP_SE | SAP Commerce Cloud | HY_COM 1808 | affected |
| SAP_SE | SAP Commerce Cloud | 1811 | affected |
| SAP_SE | SAP Commerce Cloud | 1905 | affected |
| SAP_SE | SAP Commerce Cloud | 2005 | affected |
| SAP_SE | SAP Commerce Cloud | 2105 | affected |
| SAP_SE | SAP Commerce Cloud | 2011 | affected |
| SAP_SE | SAP Commerce Cloud | 2205 | affected |
| SAP_SE | SAP Commerce Cloud | COM_CLOUD 2211 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.