Improper Access Control vulnerability in SAP Commerce Cloud
CVE-2023-42481

8.1HIGH

Key Information:

Vendor: SAP
Status: SAP Commerce Cloud
Vendor: CVE Published:; 12 December 2023

What is CVE-2023-42481?

In SAP Commerce Cloud, specifically in multiple versions such as HY_COM 1905 and others, an access control vulnerability allows a locked B2B user to exploit the forgotten password feature to restore their access. This misuse occurs particularly when the Composable Storefront is utilized, exposing significant risks to both confidentiality and integrity within the system. Weak access control measures fail to prevent unauthorized account recovery, raising concerns for organizations relying on SAP for secure e-commerce solutions.

Affected Version(s)

SAP Commerce Cloud HY_COM 1905

SAP Commerce Cloud HY_COM 2005

SAP Commerce Cloud HY_COM2105

References

https://me.sap.com/notes/3394567

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2023
Vulnerability Reserved
Sep 11, 2023