Description
Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.
References (2)
Core 2
Core References
Permissions Required, Vendor Advisory
https://launchpad.support.sap.com/#/notes/3248255
Scores
CVSS v3
8.0
EPSS
0.0045
EPSS Percentile
63.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (5)
sap/commerce_webservices_2.0
1905
sap/commerce_webservices_2.0
2005
sap/commerce_webservices_2.0
2011
sap/commerce_webservices_2.0
2105
sap/commerce_webservices_2.0
2205
Published
Dec 13, 2022
Tracked Since
Feb 18, 2026