Vulnerability Details CVE-2022-41266
Due to a lack of proper input validation, SAP Commerce Webservices 2.0 (Swagger UI) - versions 1905, 2005, 2105, 2011, 2205, allows malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to steal user tokens and achieve a full account takeover including access to administrative tools in SAP Commerce.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 45.3%
CVSS Severity
CVSS v3 Score 8.0
References
Products affected by CVE-2022-41266
-
cpe:2.3:a:sap:commerce_webservices_2.0:1905
-
cpe:2.3:a:sap:commerce_webservices_2.0:2005
-
cpe:2.3:a:sap:commerce_webservices_2.0:2011
-
cpe:2.3:a:sap:commerce_webservices_2.0:2105
-
cpe:2.3:a:sap:commerce_webservices_2.0:2205