Information Disclosure Vulnerability in SAP Commerce Backoffice Search
CVE-2021-27619

6.5MEDIUM

Key Information:

Vendor: SAP
Status: SAP Commerce (backoffice Search)
Vendor: CVE Published:; 11 May 2021

Summary

SAP Commerce, specifically within its Backoffice Search functionality, presents a vulnerability where low privileged users can perform searches for attributes intended to remain concealed. Despite the search results being masked, users can exploit the system by incrementally inputting characters, enabling them to reveal sensitive attribute values and leading to potential information disclosure. This flaw poses risks to the confidentiality of user data and requires prompt attention to mitigate potential exposure.

Affected Version(s)

SAP Commerce (Backoffice Search) < 1808 < 1808

SAP Commerce (Backoffice Search) < 1811 < 1811

SAP Commerce (Backoffice Search) < 1905 < 1905

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3039818

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 11, 2021
Vulnerability Reserved
Feb 23, 2021