CVE-2022-41204Open Redirect in SE SAP Commerce

CWE-601Open Redirect3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.4%
top 38.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP CommerceSAP Commerce
Timeline
PublishedOct 11
Latest updateOct 12

Description

An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDsap/commerce5 versions+4
CVEListV5sap_se/sap_commerce5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-h62p-q557-5jwp: An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL2022-10-12
CVEList
CVE-2022-41204: An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL2022-10-11
CVE-2022-41204 — Open Redirect in SAP SE SAP Commerce | cvebase