CVE-2025-24874 MEDIUM

CVE-2025-24874: Missing Defense in Depth Against Clickjacking in SAP Commerce Backoffice

Vendor Sap_Se
Product SAP Commerce (Backoffice)
Weakness CWE-1021
Published February 11, 2025
Last update February 18, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information.

Key dates

02Disclosure timeline

February 11, 2025 CVE published
February 18, 2025 Record updated