CVE-2024-39597

Published: Jul 9, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

Vendor	Product	Versions
SAP_SE	SAP Commerce	affected `HY_COM 2205` affected `COM_CLOUD 2211`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3490515

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-39597

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References