CVE-2024-39597

Published: Jul 9, 2024Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.7

Source: CNA (Secondary)

Description

In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://me.sap.com/notes/3490515

Source: cna@sap.com

https://url.sap/sapsecuritypatchday

Source: cna@sap.com

https://me.sap.com/notes/3490515

Source: af854a3a-2127-422b-91ae-364da2661108

https://url.sap/sapsecuritypatchday

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.