Vulnerabilities > CVE-2024-33003 - Unspecified vulnerability in SAP Commerce Cloud

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

sap

critical

NVD

Published: 2024-08-13

Updated: 2024-09-16

Summary

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

Vulnerable Configurations

Part	Description	Count
Application	Sap SAP Commerce Cloud 1811 SAP Commerce Cloud 1905 SAP Commerce Cloud 2005 SAP Commerce Cloud 2011 SAP Commerce Cloud Hy_Com_1808 SAP Commerce Cloud 2105 SAP Commerce Cloud 2205 SAP Commerce Cloud Com_Cloud_2211	8

References

https://me.sap.com/notes/3459935
https://url.sap/sapsecuritypatchday