CVE-2024-33003

Summary

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP Commerce CloudHY_COM 1808affected
SAP_SESAP Commerce Cloud1811affected
SAP_SESAP Commerce Cloud1905affected
SAP_SESAP Commerce Cloud2005affected
SAP_SESAP Commerce Cloud2105affected
SAP_SESAP Commerce Cloud2011affected
SAP_SESAP Commerce Cloud2205affected
SAP_SESAP Commerce CloudCOM_CLOUD 2211affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References