Sap Commerce Cloud
Monthly
Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.
Authentication bypass via well-known default credentials in SAP Commerce Cloud allows an unauthenticated remote attacker to abuse a pre-provisioned sample OAuth2 client whose client ID and secret are published in SAP Help Portal documentation. If the sample client is left in place, the attacker mints a valid OAuth2 access token and calls certain APIs to read and modify business data (CVSS 9.1, high confidentiality and integrity impact, no availability impact). No public exploit identified at time of analysis, but the credentials are publicly documented, making exploitation trivial wherever the sample configuration was never removed.