CVE-2024-33003 — Sensitive Information Exposure in SE SAP Commerce Cloud

CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

9.1CRITICALNVD

CNA7.4

EPSS

0.6%

top 31.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commerce Cloud SAP Commerce Cloud

Timeline

PublishedAug 13

Description

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶NVDsap/commerce_cloud8 versions+7

▶CVEListV5sap_se/sap_commerce_cloud8 versions+7

🔴Vulnerability Details

CVEList

Information Disclosure Vulnerability in SAP Commerce Cloud↗2024-08-13

▶

GHSA

GHSA-7m3q-23p4-mw4v: Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers↗2024-08-13

▶