CVE-2023-42481

CWE-640CWE-284Improper Access Control3 documents3 sources
Severity
8.1HIGH
EPSS
0.1%
top 77.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Commerce CloudSAP Commerce Cloud
Timeline
PublishedDec 12

Description

In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

CVEListV5sap_se/sap_commerce_cloud6 versions+5

🔴Vulnerability Details

2
CVEList
Improper Access Control vulnerability in SAP Commerce Cloud2023-12-12
GHSA
GHSA-vm64-h6mj-w9f2: In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forg2023-12-12
CVE-2023-42481 (HIGH CVSS 8.1) | In SAP Commerce Cloud - versions HY | cvebase.io