SAP Commerce Vulnerability: Misuse of Forgotten Password Functionality Can Grant Access to Non-Isolated Sites

CVE-2024-39597

7.2HIGH

Key Information

Vendor: SAP
Status: SAP Commerce
Vendor: CVE Published:; 9 July 2024

Summary

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

Affected Version(s)

SAP Commerce = HY_COM 2205

SAP Commerce = COM_CLOUD 2211

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published.
Jul 9, 2024
Vulnerability Reserved.
Jun 26, 2024

Collectors

NVD DatabaseMitre Database