CVE-2024-33003
Last modified
CVE-2024-33003 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Sap | Commerce Cloud | 1811 |
| Sap | Commerce Cloud | 1905 |
| Sap | Commerce Cloud | 2005 |
| Sap | Commerce Cloud | 2011 |
| Sap | Commerce Cloud | 2105 |
| Sap | Commerce Cloud | 2205 |
| Sap | Commerce Cloud | com_cloud_2211 |
| Sap | Commerce Cloud | hy_com_1808 |
References
- https://me.sap.com/notes/3459935Permissions Required
- https://url.sap/sapsecuritypatchdayVendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-33003?
How severe is CVE-2024-33003?
How do I fix CVE-2024-33003?
Are you affected by CVE-2024-33003?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST