Description
SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- SAP_SE / SAP CommerceHY_COM 2205 – HY_COM 2205
- SAP_SE / SAP CommerceCOM_CLOUD 2211 – COM_CLOUD 2211