CVE-2021-40502

8.8HIGH

Key Information:

Vendor: SAP
Status: SAP Commerce
Vendor: CVE Published:; 10 November 2021

Summary

SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

Affected Version(s)

SAP Commerce < 2105.3 < 2105.3

SAP Commerce < 2011.13 < 2011.13

SAP Commerce < 2005.18 < 2005.18

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/3110328

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 10, 2021
Vulnerability Reserved
Sep 3, 2021