CVE-2024-47577 LOW

CVE-2024-47577: Information Disclosure vulnerability in SAP Commerce Cloud

Vendor Sap_Se
Product SAP Commerce Cloud
Weakness CWE-319 · Cleartext transmission
Published December 10, 2024
Last update December 10, 2024

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.

Key dates

02Disclosure timeline

December 10, 2024 CVE published
December 10, 2024 Record updated