CVE-2024-39597

EUVD-2024-38117
In SAP Commerce, a user can misuse the forgotten
password functionality to gain access to a Composable Storefront B2B site for
which early login and registration is activated, without requiring the merchant
to approve the account beforehand. If the site is not configured as isolated
site, this can also grant access to other non-isolated early login sites, even
if registration is not enabled for those other sites.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CISA-ADPADP
7.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
sapcommerce_hycom
2205
ADP
sapcommerce_cloud
2211
ADP
Common Weakness Enumeration
References
https://me.sap.com/notes/3490515
https://url.sap/sapsecuritypatchday
https://me.sap.com/notes/3490515
https://url.sap/sapsecuritypatchday