OCC API Endpoints Vulnerable to PII Data Exposure

CVE-2024-33003

9.1CRITICAL

Key Information

Vendor: SAP
Status: SAP Commerce Cloud
Vendor: CVE Published:; 13 August 2024

Summary

Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.

Affected Version(s)

SAP Commerce Cloud = HY_COM 1808

SAP Commerce Cloud = 1811

SAP Commerce Cloud = 1905

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Aug 13, 2024
Vulnerability Reserved.
Apr 23, 2024

Collectors

NVD DatabaseMitre Database