Main Vulnerability Database Vulnerabilities #VU101380

#VU101380 Information disclosure in SAP Commerce Cloud - CVE-2024-47577

Published: December 10, 2024

Vulnerability identifier: #VU101380

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-47577

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SAP Commerce Cloud

Software vendor:
SAP

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the application uses HTTP GET protocol when performing search operation and passes client's personal information via URL. An attacker with access to server logs or ability to intercept HTTP Referer header from the search page can gain access to sensitive data.

Remediation

Install updates from vendor's website.

External links

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html