SAP Commerce Vulnerability: Misuse of Forgotten Password Functionality Can Grant Access to Non-Isolated Sites
CVE-2024-39597

7.2HIGH

Key Information:

Vendor: SAP
Status: SAP Commerce
Vendor: CVE Published:; 9 July 2024

Summary

The vulnerability in SAP Commerce allows a user to exploit the forgotten password functionality, enabling them to gain unauthorized access to a Composable Storefront B2B site where early login and registration features are active. This security issue becomes more critical if the site is not configured to operate as an isolated instance. In such cases, attackers may gain access not only to the vulnerable site but also to other non-isolated early login sites, even if registration is disabled on those platforms. Proper configuration and review of user account approval processes are essential in mitigating this vulnerability.

Affected Version(s)

SAP Commerce HY_COM 2205

SAP Commerce COM_CLOUD 2211

References

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3490515

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jul 9, 2024
Vulnerability Reserved
Jun 26, 2024