Information Disclosure Vulnerability in SAP Commerce Cloud Assisted Service Module
CVE-2024-47577

2.7LOW

Key Information:

Vendor: SAP
Status: SAP Commerce Cloud
Vendor: CVE Published:; 10 December 2024

What is CVE-2024-47577?

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.

Affected Version(s)

SAP Commerce Cloud HY_COM 2205

SAP Commerce Cloud COM_CLOUD 2211

References

https://me.sap.com/notes/3535451

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Sep 27, 2024