Server-Side Request Forgery Vulnerability in SAP Hybris Commerce API
CVE-2018-2463

8.6HIGH

Key Information:

Vendor

SAP
Status
SAP Hybris Commerce
Vendor
CVE Published:
11 September 2018

What is CVE-2018-2463?

The Omni Commerce Connect API (OCC) in SAP Hybris Commerce versions 6.* is susceptible to server-side request forgery (SSRF) due to a misconfiguration of the XML parser on the server. This vulnerability may allow an attacker to send unauthorized requests to internal resources, potentially compromising sensitive data or services. Ensuring proper configuration and security measures are essential to mitigate these risks.

Affected Version(s)

SAP Hybris Commerce = 6.*

References

http://www.securityfocus.com/bid/105339
vdb-entryx_refsource_BID
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...
x_refsource_CONFIRM
https://launchpad.support.sap.com/#/notes/2680834
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.