VYPR

SAP Commerce

by SAP

CVEs (8)

  • CVE-2023-39439HigAug 8, 2023
    risk 0.57cvss 8.8epss 0.01

    SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.

  • CVE-2018-2463HigSep 11, 2018
    risk 0.56cvss 8.6epss 0.02

    The Omni Commerce Connect API (OCC) of SAP Hybris Commerce, versions 6.*, is vulnerable to server-side request forgery (SSRF) attacks. This is due to a misconfiguration of XML parser that is used in the server-side implementation of OCC.

  • CVE-2018-2505MedDec 11, 2018
    risk 0.40cvss 6.1epss 0.01

    SAP Commerce does not sufficiently validate user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability in storefronts that are based on the product. Fixed in versions (SAP Hybris Commerce, versions 6.2, 6.3, 6.4, 6.5, 6.6, 6.7).

  • CVE-2023-37486MedAug 8, 2023
    risk 0.38cvss 5.9epss 0.00

    Under certain conditions SAP Commerce (OCC API) - versions HY_COM 2105, HY_COM 2205, COM_CLOUD 2211, endpoints allow an attacker to access information which would otherwise be restricted. On successful exploitation there could be a high impact on confidentiality with no impact…

  • CVE-2024-45278MedOct 8, 2024
    risk 0.35cvss 5.4epss 0.00

    SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.

  • CVE-2024-41735MedAug 13, 2024
    risk 0.35cvss 5.4epss 0.00

    SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application.

  • CVE-2024-41733MedAug 13, 2024
    risk 0.34cvss 5.3epss 0.00

    In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker…

  • CVE-2026-23684Feb 10, 2026
    risk 0.00cvss epss 0.00

    A race condition vulnerability exists in the SAP Commerce cloud. Because of this when an attacker adds products to a cart, it may result in a cart entry being created with erroneous product value which could be checked out. This leads to high impact on data integrity, with no…