Sap Se Sap Commerce vulnerabilities

CVE-2025-24875 [MEDIUM] CWE-352 CVE-2025-24875: SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameS SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.

CVE-2024-41733 [MEDIUM] CWE-200 CVE-2024-41733: In SAP Commerce, valid user accounts can be identified during the customer registration and login pr In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on conf

CVE-2024-39597 [HIGH] CWE-285 CVE-2024-39597: In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composab In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login si

CVE-2023-39439 [HIGH] CWE-258 CVE-2023-39439: SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowin SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

CVE-2022-41204 [HIGH] CWE-601 CVE-2022-41204: An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confiden

CVE-2021-42064 [CRITICAL] CWE-89 CVE-2021-42064: If configured to use an Oracle database and if a query is created using the flexible search java api If configured to use an Oracle database and if a query is created using the flexible search java api with a parameterized "in" clause, SAP Commerce - versions 1905, 2005, 2105, 2011, allows attacker to execute crafted database queries, exposing backend database. The vulnerability is present if the parameterized "in" clause accepts more than 1000 va

CVE-2021-40502 [HIGH] CWE-862 CVE-2021-40502: SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

CVE-2021-27602 [CRITICAL] CWE-94 CVE-2021-27602: SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authori SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enablin

CVE-2021-21477 [CRITICAL] CWE-94 CVE-2021-21477: SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privile SAP Commerce Cloud, versions - 1808,1811,1905,2005,2011, enables certain users with required privileges to edit drools rules, an authenticated attacker with this privilege will be able to inject malicious code in the drools rules which when executed leads to Remote Code Execution vulnerability enabling the attacker to compromise the underlying host

CVE-2020-6302 [HIGH] CWE-384 CVE-2020-6302: SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL whe SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, int

CVE-2020-6264 [HIGH] CVE-2020-6264: SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under ce SAP Commerce, versions - 6.7, 1808, 1811, 1905, may allow an attacker to access information under certain conditions which would otherwise be restricted, leading to Information Disclosure.

CVE-2020-6265 [CRITICAL] CWE-798 CVE-2020-6265: SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1 SAP Commerce, versions - 6.7, 1808, 1811, 1905, and SAP Commerce (Data Hub), versions - 6.7, 1808, 1811, 1905, allows an attacker to bypass the authentication and/or authorization that has been configured by the system administrator due to the use of Hardcoded Credentials.

CVE-2020-6238 [CRITICAL] CWE-611 CVE-2020-6238: SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.

CVE-2020-6232 [MEDIUM] CWE-862 CVE-2020-6232: SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. This affects confidentiality of secure media.