Cross-Site Scripting Vulnerability in SAP Commerce by SAP
CVE-2025-27434

8.8HIGH

Key Information:

Vendor: SAP
Status: SAP Commerce (swagger Ui)
Vendor: CVE Published:; 11 March 2025

What is CVE-2025-27434?

The vulnerability in SAP Commerce's Swagger UI results from insufficient input validation, which permits an unauthenticated attacker to inject malicious code from remote sources. This flaw can potentially lead to a cross-site scripting (XSS) attack, compromising the confidentiality, integrity, and availability of sensitive data within SAP Commerce, thereby posing significant risks to the overall security of the application.

Affected Version(s)

SAP Commerce (Swagger UI) COM_CLOUD 2211

References

https://me.sap.com/notes/3569602

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Feb 25, 2025