CVE-2025-27435 | THREATINT

Description

Under specific conditions and prerequisites, an unauthenticated attacker could access customer coupon codes exposed in the URL parameters of the Coupon Campaign URL in SAP Commerce. This could allow the attacker to use the disclosed coupon code, hence posing a low impact on confidentiality and integrity of the application.

PUBLISHED Reserved 2025-02-25 | Published 2025-04-08 | Updated 2025-04-08 | Assigner sap

MEDIUM: 4.2CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem types

CWE-862: Missing Authorization

Product status

Default status

unaffected

HY_COM 2205

affected

COM_CLOUD 2211

affected

References

me.sap.com/notes/3539465

url.sap/sapsecuritypatchday

cve.org (CVE-2025-27435)

nvd.nist.gov (CVE-2025-27435)

Download JSON