Vulnerabilities > SAP > Commerce Cloud > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-09 | CVE-2021-33666 | Cross-site Scripting vulnerability in SAP Commerce Cloud 100 When SAP Commerce Cloud version 100, hosts a JavaScript storefront, it is vulnerable to MIME sniffing, which, in certain circumstances, could be used to facilitate an XSS attack or malware proliferation. | 4.3 |
| 2020-11-10 | CVE-2020-26809 | Incorrect Default Permissions vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions- 1808,1811,1905,2005, allows an attacker to bypass existing authentication and permission checks via the '/medias' endpoint hence gaining access to Secure Media folders. | 5.0 |
| 2020-10-15 | CVE-2020-6363 | Insufficient Session Expiration vulnerability in SAP Commerce Cloud SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. | 4.9 |
| 2020-04-14 | CVE-2020-6232 | Missing Authorization vulnerability in SAP Commerce Cloud 1811/1905 SAP Commerce, versions 1811, 1905, does not perform necessary authorization checks for an anonymous user, due to Missing Authorization Check. | 5.0 |
| 2020-03-10 | CVE-2020-6201 | Cross-site Scripting vulnerability in SAP Commerce Cloud The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting. | 4.3 |
| 2019-08-14 | CVE-2019-0343 | Code Injection vulnerability in SAP Commerce Cloud SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. | 6.5 |
| 2019-07-10 | CVE-2019-0322 | Unspecified vulnerability in SAP Commerce Cloud SAP Commerce Cloud (previously known as SAP Hybris Commerce), (HY_COM, versions 6.3, 6.4, 6.5, 6.6, 6.7, 1808, 1811), allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. | 5.0 |