CVE-2024-47577

Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.

CVSS v3 2.7 LOW

2.7^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3535451
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Los endpoints de la API de servicio web para el módulo de servicio asistido dentro de SAP Commerce Cloud tienen una vulnerabilidad de divulgación de información. Cuando un agente autorizado busca un cliente para administrar sus cuentas, la URL de la solicitud incluye datos del cliente y se registra en los registros del servidor. Si un atacante que se hace pasar por un administrador autorizado visita dichos registros del servidor, obtiene acceso a los datos del cliente. Sin embargo, la cantidad de datos confidenciales filtrados es extremadamente limitada y el atacante no tiene control sobre qué datos se filtran.

10 Dec 2024, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-10 01:15

Updated : 2026-04-15 00:35

NVD link : CVE-2024-47577

Mitre link : CVE-2024-47577

CVE.ORG link : CVE-2024-47577

JSON object : View

Products Affected

No product.

CWE

CWE-319

Cleartext Transmission of Sensitive Information

2.7 /10