CVE-2025-24875

Name of the Vulnerable Software and Affected Versions: SAP Commerce (affected versions not specified)

Description: The issue is related to SAP Commerce setting certain cookies with the SameSite attribute configured to None by default. This includes authentication cookies used in SAP Commerce Backoffice. This configuration reduces defense in depth against Cross-Site Request Forgery (CSRF) attacks and may lead to future compatibility issues.

Recommendations: As a temporary workaround, consider configuring the SameSite attribute to a more restrictive setting, such as Lax or Strict, to minimize the risk of CSRF attacks. Restrict access to sensitive areas of SAP Commerce Backoffice to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.