Vulnerabilities > SAP > Commerce Cloud > Medium

DATE CVE VULNERABILITY TITLE RISK
2021-06-09 CVE-2021-33666 Cross-site Scripting vulnerability in SAP Commerce Cloud 100
When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation.
network
low complexity
sap CWE-79
6.1
2021-01-12 CVE-2021-21445 HTTP Request Smuggling vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, 2011, allows an authenticated attacker to include invalidated data in the HTTP response Content Type header, due to improper input validation, and sent to a Web user.
network
low complexity
sap CWE-444
5.4
2020-11-10 CVE-2020-26809 Incorrect Default Permissions vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders.
network
low complexity
sap CWE-276
5.3
2020-10-15 CVE-2020-6363 Insufficient Session Expiration vulnerability in SAP Commerce Cloud
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user.
network
low complexity
sap CWE-613
4.6
2020-10-15 CVE-2020-6272 Cross-site Scripting vulnerability in SAP Commerce Cloud
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components.
network
low complexity
sap CWE-79
5.4
2020-04-14 CVE-2020-6232 Missing Authorization vulnerability in SAP Commerce Cloud 1811/1905
SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check.
network
low complexity
sap CWE-862
5.3
2020-03-10 CVE-2020-6201 Cross-site Scripting vulnerability in SAP Commerce Cloud
The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting.
network
low complexity
sap CWE-79
6.1
2020-03-10 CVE-2020-6200 Cross-site Scripting vulnerability in SAP Commerce Cloud
The SAP Commerce (SmartEdit Extension), versions- 6.6, 6.7, 1808, 1811, is vulnerable to client-side angularjs template injection, a variant of Cross-Site-Scripting (XSS) that exploits the templating facilities of the angular framework.
network
low complexity
sap CWE-79
5.4