CVE-2025-27435
MEDIUMSAP Commerce Cloud HY_COM 2205 and COM_CLOUD 2211 - Unauthenticated Coupon Code Exposure via URL Parameters
Title source: llmDescription
Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3539465
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
4.2
EPSS
0.0034
EPSS Percentile
56.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (2)
SAP_SE/SAP Commerce Cloud
COM_CLOUD 2211
SAP_SE/SAP Commerce Cloud
HY_COM 2205
Published
Apr 08, 2025
Tracked Since
Feb 18, 2026