CVE-2024-39597
HIGHSAP Commerce HY_COM 2205 and COM_CLOUD 2211 - Improper Authorization via Forgotten Password Functionality
Title source: llmDescription
In SAP Commerce, a user can misuse the forgotten password functionality to gain access to a Composable Storefront B2B site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites.
References (2)
Core 2
Core References
Vendor Advisory
https://url.sap/sapsecuritypatchday
Vendor Advisory
https://me.sap.com/notes/3490515
Scores
CVSS v3
7.2
EPSS
0.0023
EPSS Percentile
46.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
SAP_SE/SAP Commerce
COM_CLOUD 2211
SAP_SE/SAP Commerce
HY_COM 2205
Published
Jul 09, 2024
Tracked Since
Feb 18, 2026