cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-47577,https://securityvulnerability.io/vulnerability/CVE-2024-47577,Information Disclosure Vulnerability in SAP Commerce Cloud Assisted Service Module,"Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.",SAP,SAP Commerce Cloud,2.7,LOW,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-10T00:11:49.563Z,0
CVE-2024-33003,https://securityvulnerability.io/vulnerability/CVE-2024-33003,OCC API Endpoints Vulnerable to PII Data Exposure,"A vulnerability has been identified in certain OCC API endpoints of SAP Commerce Cloud, which allows for the exposure of Personally Identifiable Information (PII). This issue occurs when sensitive data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, is included directly in the request URL, either as query or path parameters. The compromised integrity and confidentiality of this information can have serious repercussions, making it crucial for organizations using affected versions to assess their security posture. To mitigate the risks associated with this vulnerability, users are advised to apply the appropriate security patches and review their API endpoint configurations.",SAP,SAP Commerce Cloud,9.1,CRITICAL,0.000910000002477318,false,,false,false,false,,,false,false,,2024-08-13T03:36:55.034Z,0
CVE-2023-42481,https://securityvulnerability.io/vulnerability/CVE-2023-42481,Improper Access Control vulnerability in SAP Commerce Cloud,"In SAP Commerce Cloud, specifically in multiple versions such as HY_COM 1905 and others, an access control vulnerability allows a locked B2B user to exploit the forgotten password feature to restore their access. This misuse occurs particularly when the Composable Storefront is utilized, exposing significant risks to both confidentiality and integrity within the system. Weak access control measures fail to prevent unauthorized account recovery, raising concerns for organizations relying on SAP for secure e-commerce solutions.",SAP,SAP Commerce Cloud,8.1,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-12-12T01:15:00.000Z,0
CVE-2021-33666,https://securityvulnerability.io/vulnerability/CVE-2021-33666,MIME Sniffing Vulnerability in SAP Commerce Cloud JavaScript Storefront,"The SAP Commerce Cloud version 100 poses a security vulnerability when hosting a JavaScript storefront due to improper MIME type handling. This flaw allows for MIME sniffing, which could potentially be exploited to launch cross-site scripting (XSS) attacks or distribute malware. Organizations using this version should ensure that they implement proper content type headers to mitigate such risks.",SAP,SAP Commerce Cloud,4.7,MEDIUM,0.0008399999933317304,false,,false,false,false,,,false,false,,2021-06-09T13:32:45.000Z,0
CVE-2021-21445,https://securityvulnerability.io/vulnerability/CVE-2021-21445,Improper Input Validation in SAP Commerce Cloud,"SAP Commerce Cloud versions 1808, 1811, 1905, 2005, and 2011 are impacted by a vulnerability that allows authenticated attackers to include invalidated data in the HTTP response Content Type header. This issue arises from insufficient input validation, potentially leading to advanced exploitation tactics such as cross-site scripting and page hijacking, which can compromise web user integrity and application security.",SAP,SAP Commerce Cloud,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2021-01-12T14:42:03.000Z,0
CVE-2020-26810,https://securityvulnerability.io/vulnerability/CVE-2020-26810,Denial of Service Vulnerability in SAP Commerce Cloud by SAP,"A vulnerability in SAP Commerce Cloud, specifically in the Accelerator Payment Mock component, allows unauthenticated attackers to send specially crafted requests to certain URLs. This exploitation can lead to a service outage, effectively rendering the SAP Commerce service unavailable. The issue arises without compromising the confidentiality or integrity of the system, highlighting a significant concern for maintaining service availability in affected versions.",SAP,SAP Commerce Cloud (accelerator Payment Mock),7.5,HIGH,0.0012400000123307109,false,,false,false,false,,,false,false,,2020-11-10T16:20:28.000Z,0
CVE-2020-26811,https://securityvulnerability.io/vulnerability/CVE-2020-26811,Server Side Request Forgery in SAP Commerce Cloud Accelerators,"The SAP Commerce Cloud (Accelerator Payment Mock) vulnerabilities in versions 1808, 1811, 1905, and 2005 allow unauthenticated attackers to exploit the system by sending specially crafted requests to specific module URLs. This can facilitate a Server Side Request Forgery (SSRF) attack, enabling the attacker to retrieve limited information about the service without compromising its integrity or availability.",SAP,SAP Commerce Cloud (accelerator Payment Mock),5.3,MEDIUM,0.0020200000144541264,false,,false,false,false,,,false,false,,2020-11-10T16:12:03.000Z,0
CVE-2020-26809,https://securityvulnerability.io/vulnerability/CVE-2020-26809,Authentication Bypass Vulnerability in SAP Commerce Cloud,"SAP Commerce Cloud versions 1808, 1811, 1905, and 2005 have a significant vulnerability that enables attackers to circumvent established authentication and permission checks via the '/medias' endpoint. This breach allows unauthorized access to secure media folders, potentially exposing sensitive files that could disclose confidential information and jeopardize system configuration security.",SAP,SAP Commerce Cloud,5.3,MEDIUM,0.0015999999595806003,false,,false,false,false,,,false,false,,2020-11-10T16:10:56.000Z,0
CVE-2020-6363,https://securityvulnerability.io/vulnerability/CVE-2020-6363,Insufficient Session Expiration in SAP Commerce Cloud,"SAP Commerce Cloud versions 1808, 1811, 1905, and 2005 have a vulnerability that occurs when a user changes their passphrase; the system does not invalidate existing sessions. This behavior allows an attacker to exploit the old session credentials, posing significant security risks as it compromises session integrity. Users should be aware of the potential for unauthorized access to their accounts due to this insufficient session expiration vulnerability.",SAP,SAP Commerce Cloud,4.6,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2020-10-15T01:53:18.000Z,0
CVE-2020-6272,https://securityvulnerability.io/vulnerability/CVE-2020-6272,Cross-Site Scripting Vulnerability in SAP Commerce Cloud,"The SAP Commerce Cloud versions 1808, 1811, 1905, and 2005 contain a vulnerability that fails to properly encode user inputs. This deficiency allows an authenticated content manager to inject malicious scripts into various web CMS components. These scripts can be saved and may execute when the corresponding web page is accessed, leading to potential exploitation via Cross-Site Scripting (XSS). Effective measures should be implemented to mitigate this risk and secure user data.",SAP,SAP Commerce Cloud,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2020-10-15T01:46:38.000Z,0
CVE-2020-6201,https://securityvulnerability.io/vulnerability/CVE-2020-6201,Reflected Cross Site Scripting Vulnerability in SAP Commerce by SAP,"SAP Commerce, specifically in the Testweb Extension across multiple versions, lacks adequate encoding of user-controlled inputs. This vulnerability allows certain GET URL parameters to be reflected in HTTP responses without proper escaping or sanitization, which can lead to reflected cross site scripting attacks. Malicious users could exploit this weakness to inject arbitrary scripts into pages viewed by other users, potentially compromising sensitive information and overall web application security.",SAP,SAP Commerce Cloud (testweb Extension),6.1,MEDIUM,0.0008399999933317304,false,,false,false,false,,,false,false,,2020-03-10T20:19:04.000Z,0
CVE-2020-6200,https://securityvulnerability.io/vulnerability/CVE-2020-6200,Client-Side AngularJS Template Injection in SAP Commerce SmartEdit Extension,"The SAP Commerce SmartEdit Extension, found in versions 6.6, 6.7, 1808, and 1811, is susceptible to a client-side angularjs template injection. This vulnerability allows attackers to exploit the templating capabilities of the Angular framework, potentially enabling unauthorized access to sensitive information or actions within the application. Organizations utilizing affected versions should implement necessary security measures to mitigate the risk associated with this vulnerability.",SAP,SAP Commerce Cloud (smartedit Extension),5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2020-03-10T20:18:50.000Z,0
CVE-2019-0344,https://securityvulnerability.io/vulnerability/CVE-2019-0344,Code Injection Vulnerability in SAP Commerce Cloud by SAP,"A vulnerability exists within the SAP Commerce Cloud due to unsafe deserialization in the virtualjdbc extension. This flaw allows an attacker to execute arbitrary code on a server with 'Hybris' user privileges, potentially leading to unauthorized control over affected systems. Users of versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, and 1905 should take immediate steps to secure their environments.",SAP,SAP Commerce Cloud (virtualjdbc Extension),9.8,CRITICAL,0.2835400104522705,true,2024-09-30T00:00:00.000Z,false,false,true,2024-09-30T00:00:00.000Z,,false,false,,2019-08-14T13:53:21.000Z,0
CVE-2019-0343,https://securityvulnerability.io/vulnerability/CVE-2019-0343,Code Injection Vulnerability in SAP Commerce Cloud's Mediaconversion Extension,"The SAP Commerce Cloud's Mediaconversion Extension contains a vulnerability that allows authenticated Backoffice/HMC users to execute injected code. This flaw provides an attacker with the ability to manipulate application behavior, potentially compromising the integrity of the application. It is essential for organizations using affected versions to assess their security posture and implement necessary mitigations to safeguard against this vulnerability.",SAP,SAP Commerce Cloud (mediaconversion Extension),8.8,HIGH,0.0008999999845400453,false,,false,false,false,,,false,false,,2019-08-14T13:53:05.000Z,0
CVE-2019-0322,https://securityvulnerability.io/vulnerability/CVE-2019-0322,Denial of Service Vulnerability in SAP Commerce Cloud,"SAP Commerce Cloud, previously known as SAP Hybris Commerce, is susceptible to a Denial of Service vulnerability that enables attackers to disrupt access for legitimate users. By exploiting this flaw, an adversary can either crash the service or inundate it with traffic, effectively preventing users from reaching the services they need. This situation poses serious operational challenges and user experience issues, requiring prompt attention to mitigate associated risks.",SAP,SAP Commerce Cloud (ex SAP Hybris Commerce) (hy Com),7.5,HIGH,0.004040000028908253,false,,false,false,false,,,false,false,,2019-07-10T19:00:32.000Z,0