CVE-2024-33003
HIGHSAP Commerce Cloud - Exposure of Sensitive Information via OCC API Endpoint URL Parameters
Title source: llmDescription
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.
References (2)
Core 2
Core References
Permissions Required
https://me.sap.com/notes/3459935
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
7.4
EPSS
0.0057
EPSS Percentile
68.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-200
Status
published
Products (8)
sap/commerce_cloud
1811
sap/commerce_cloud
1905
sap/commerce_cloud
2005
sap/commerce_cloud
2011
sap/commerce_cloud
2105
sap/commerce_cloud
2205
sap/commerce_cloud
com_cloud_2211
sap/commerce_cloud
hy_com_1808
Published
Aug 13, 2024
Tracked Since
Feb 18, 2026