Vulnerabilities > SAP > Commerce Cloud > Critical

DATE CVE VULNERABILITY TITLE RISK
2024-08-13 CVE-2024-33003 Unspecified vulnerability in SAP Commerce Cloud
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters.
network
low complexity
sap
critical
9.1
2023-08-08 CVE-2023-39439 Empty Password in Configuration File vulnerability in SAP Commerce Cloud and Commerce Hycom
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
network
low complexity
sap CWE-258
critical
9.8
2020-04-14 CVE-2020-6238 XXE vulnerability in SAP Commerce Cloud
SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation.
network
low complexity
sap CWE-611
critical
9.3
2019-08-14 CVE-2019-0344 Deserialization of Untrusted Data vulnerability in SAP Commerce Cloud
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection.
network
low complexity
sap CWE-502
critical
9.8