CVE-2021-40502

Published: Nov 10, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.

Affected (4)

Products: Sap: Commerce

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Sap Commerce	Version 1905.34
Sap Commerce	Version 2005.18
Sap Commerce	Version 2011.13
Sap Commerce	Version 2105.3

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://launchpad.support.sap.com/#/notes/3110328

Source: cna@sap.com

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

Source: cna@sap.com

Vendor Advisory

https://launchpad.support.sap.com/#/notes/3110328

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.