CVE-2021-27619

CWE-20 — Improper Input Validation7 documents4 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 59.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commerce (backoffice Search)SAP Commerce

Timeline

PublishedMay 11

Latest updateMay 24

Description

SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not supposed to be displayed to them. Although the search results are masked, the user can iteratively enter one character at a time to search and determine the masked attribute value thereby leading to information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5sap_se/sap_commerce_(backoffice_search)< 1808+4

▶NVDsap/commerce5 versions+4

🔴Vulnerability Details

GHSA

GHSA-wcj9-7cp9-cw82: SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not suppose↗2022-05-24

▶

OSV

python2.7 vulnerability↗2022-02-08

▶

CVEList

CVE-2021-27619: SAP Commerce (Backoffice Search), versions - 1808, 1811, 1905, 2005, 2011, allows a low privileged user to search for attributes which are not suppose↗2021-05-11

▶

OSV

python2.7 vulnerability↗2021-03-03

▶

OSV

python2.7 regression↗2021-02-25

▶