CVE-2023-42481: 
SAP Commerce Cloud vulnerability analysis and mitigation

A vulnerability (CVE-2023-42481) was identified in SAP Commerce Cloud versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, and COM_CLOUD 2211. The vulnerability allows a locked B2B user to misuse the forgotten password functionality to unblock their user account and regain access when SAP Commerce Cloud - Composable Storefront is used as the storefront (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The vulnerability stems from weak access controls in place and is categorized under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) (NVD).

The exploitation of this vulnerability leads to considerable impacts on both confidentiality and integrity of the system. With network-based attack vector and low attack complexity, an attacker with low privileges can exploit this vulnerability without requiring user interaction (NVD).

SAP has released security notes and patches to address this vulnerability. Users should refer to SAP Security Note 3394567 for detailed mitigation instructions (SAP Note).