Main Vulnerability Database Vulnerabilities #VU101380

Information disclosure in SAP Commerce Cloud - CVE-2024-47577

Published: December 10, 2024

Vulnerability identifier: #VU101380

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-47577

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SAP

Affected software:
SAP Commerce Cloud

Detailed vulnerability description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to the application uses HTTP GET protocol when performing search operation and passes client's personal information via URL. An attacker with access to server logs or ability to intercept HTTP Referer header from the search page can gain access to sensitive data.

How to mitigate CVE-2024-47577

Install updates from vendor's website.

Sources

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/december-2024.html

Information disclosure in SAP Commerce Cloud - CVE-2024-47577

Detailed vulnerability description

How to mitigate CVE-2024-47577

Sources

Please verify you're human