Description
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- SAP_SE / SAP Commerce CloudHY_COM 1808 – HY_COM 1808
- SAP_SE / SAP Commerce Cloud1811 – 1811
- SAP_SE / SAP Commerce Cloud1905 – 1905
- SAP_SE / SAP Commerce Cloud2005 – 2005
- SAP_SE / SAP Commerce Cloud2105 – 2105
- SAP_SE / SAP Commerce Cloud2011 – 2011
- SAP_SE / SAP Commerce Cloud2205 – 2205
- SAP_SE / SAP Commerce CloudCOM_CLOUD 2211 – COM_CLOUD 2211