Clickjacking Vulnerability in SAP Commerce Backoffice
CVE-2025-24874

6.8MEDIUM

Key Information:

Vendor: SAP
Status: SAP Commerce (backoffice)
Vendor: CVE Published:; 11 February 2025

What is CVE-2025-24874?

SAP Commerce's Backoffice currently employs the deprecated X-FRAME-OPTIONS header to mitigate clickjacking attacks. While effective now, there are concerns that future browser updates may eliminate support for this header, replacing it with the frame-ancestors Content Security Policy directive. Such changes could leave systems vulnerable to clickjacking attempts, potentially allowing attackers to manipulate and gain access to sensitive information. Businesses using SAP Commerce should evaluate their security posture and prepare for this possible transition.

Affected Version(s)

SAP Commerce (Backoffice) HY_COM 2205

SAP Commerce (Backoffice) COM_CLOUD 2211

References

https://me.sap.com/notes/3559510

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025