CVE-2023-42481

Name of the Vulnerable Software and Affected Versions SAP Commerce Cloud versions HY COM 1905 through HY COM 2205, COM CLOUD 2211

Description A locked B2B user can misuse the forgotten password functionality to un-block their user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.

Recommendations For SAP Commerce Cloud versions HY COM 1905 through HY COM 2205, COM CLOUD 2211, consider disabling the forgotten password functionality for locked B2B users until a patch is available. Restrict access to the Composable Storefront for locked B2B users to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.