Description
An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack accounts. A successful attack could compromise the Confidentiality, Integrity, and Availability of the system.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- SAP_SE / SAP Commerce1905 – 1905
- SAP_SE / SAP Commerce2005 – 2005
- SAP_SE / SAP Commerce2105 – 2105
- SAP_SE / SAP Commerce2011 – 2011
- SAP_SE / SAP Commerce2205 – 2205