CVE-2021-27619

Name of the Vulnerable Software and Affected Versions SAP Commerce (Backoffice Search) versions 1808, 1811, 1905, 2005, 2011

Description The issue allows a low-privileged user to search for attributes that are not supposed to be displayed to them. Although the search results are masked, the user can iteratively enter one character at a time to search and determine the masked attribute value, leading to information disclosure.

Recommendations For versions 1808, 1811, 1905, 2005, 2011, consider restricting access to the search functionality for low-privileged users until a fix is available. As a temporary workaround, limit the ability to iteratively enter characters in the search function to minimize the risk of information disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.