CVE-2024-47577Cleartext Transmission of Sensitive Info in SE SAP Commerce Cloud

CWE-319Cleartext Transmission of Sensitive Info3 documents3 sources
Severity
2.7LOWNVD
EPSS
0.0%
top 89.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Commerce Cloud
Timeline
PublishedDec 10

Description

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages1 packages

CVEListV5sap_se/sap_commerce_cloudCOM_CLOUD 2211, HY_COM 2205+1

🔴Vulnerability Details

2
CVEList
Information Disclosure vulnerability in SAP Commerce Cloud2024-12-10
GHSA
GHSA-734q-q7gr-735x: Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability2024-12-10
CVE-2024-47577 — SE SAP Commerce Cloud vulnerability | cvebase