#VU103904 Sensitive cookie with improper SameSite attribute in SAP Commerce - CVE-2025-24875

Cybersecurity Help s.r.o.

Published: 2025-02-12

Vulnerability identifier: #VU103904

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-24875

CWE-ID: CWE-1275

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Commerce
Web applications / E-Commerce systems

Vendor: SAP

Description

The vulnerability allows a remote attacker to bypass security features.

The vulnerability exists due to application sets certain cookies with the SameSite attribute configured to None. A remote attacker can bypass implemented security features.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Commerce: 2205 - 2211

External links
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2025.html
https://me.sap.com/notes/3555364

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in SAP Commerce