Unauthenticated Access Vulnerability in SAP Commerce Coupon Codes
CVE-2025-27435

4.2MEDIUM

Key Information:

Vendor: SAP
Status: SAP Commerce Cloud
Vendor: CVE Published:; 8 April 2025

Summary

An unauthenticated attacker may exploit specific conditions in SAP Commerce to access sensitive customer coupon codes embedded in the URL parameters of the Coupon Campaign URL. This incident could enable the misuse of disclosed coupon codes, impacting the confidentiality and integrity of user data. It is essential for organizations using the affected versions of SAP Commerce to implement security measures to mitigate the risk associated with this vulnerability.

Affected Version(s)

SAP Commerce Cloud HY_COM 2205

SAP Commerce Cloud COM_CLOUD 2211

References

https://me.sap.com/notes/3539465

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 8, 2025
Vulnerability Reserved
Feb 25, 2025