Description
SAP Commerce - versions 2105.3, 2011.13, 2005.18, 1905.34, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. Authenticated attackers will be able to access and edit data from b2b units they do not belong to.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=589496864
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/3110328
Scores
CVSS v3
8.8
EPSS
0.0035
EPSS Percentile
57.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-862
Status
published
Products (4)
sap/commerce
1905.34
sap/commerce
2005.18
sap/commerce
2011.13
sap/commerce
2105.3
Published
Nov 10, 2021
Tracked Since
Feb 18, 2026