Input validation error in SAP Commerce

#VU50446 Input validation error in SAP Commerce

Published: 2021-02-09

Vulnerability identifier: #VU50446

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21477

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SAP Commerce
Web applications / E-Commerce systems

Vendor: SAP

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to unspecified vulnerability in SAP Commerce. A remote authenticated user can send a specially crafted request to the application and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SAP Commerce: 1808 - 2011

External links
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=568460543
http://launchpad.support.sap.com/#/notes/3014121

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in SAP Commerce