CVE-2024-39597Improper Authorization in SE SAP Commerce

CWE-285Improper Authorization3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.2%
top 60.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Commerce
Timeline
PublishedJul 9

Description

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages1 packages

CVEListV5sap_se/sap_commerceCOM_CLOUD 2211, HY_COM 2205+1

🔴Vulnerability Details

2
CVEList
[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce2024-07-09
GHSA
GHSA-qj54-wmjw-h6gf: In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and r2024-07-09
CVE-2024-39597 — Improper Authorization | cvebase