CVE-2023-39439— SAP Commerce accepts empty passphrases.
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-39439
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SAP Commerce accepts empty passphrases.
Source: NVD (National Vulnerability Database)
Vulnerability Description
SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
配置文件中缺省空口令
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP Commerce 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP Commerce是德国思爱普(SAP)公司的一套基于云的电子商务平台。该产支持销售管理、营销管理、订单管理和运营管理等。 SAP Commerce 存在安全漏洞,该漏洞源于可能接受用户 ID 和密码身份验证的空密码,从而允许用户无需密码即可登录系统。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP Commerce | HY_COM 2105 | - |
II. Public POCs for CVE-2023-39439
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-39439
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2023-08-08 · 15 CVEs total
| CVE-2023-37483 | 9.8 CRITICAL | Improper Access Control Vulnerabilities in SAP PowerDesigner |
| CVE-2023-36923 | 7.8 HIGH | Code Injection vulnerability in SAP PowerDesigner |
| CVE-2023-39437 | 7.6 HIGH | Cross-Site Scripting (XSS) vulnerability in SAP Business One |
| CVE-2023-37490 | 7.6 HIGH | Binary hijack in SAP BusinessObjects Business Intelligence (Installer) |
| CVE-2023-37491 | 7.5 HIGH | Improper Authorization check vulnerability in SAP Message Server |
| CVE-2023-33993 | 7.1 HIGH | SQL Injection vulnerability in SAP Business One B1i Layer |
| CVE-2023-37488 | 6.1 MEDIUM | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Process Integration |
| CVE-2023-37486 | 5.9 MEDIUM | Information Disclosure vulnerability in SAP Commerce (OCC API) |
| CVE-2023-39436 | 5.8 MEDIUM | Information Disclosure in SAP Supplier Relationship Management |
| CVE-2023-37487 | 5.3 MEDIUM | Security misconfiguration vulnerability in SAP Business One (Service Layer) |
| CVE-2023-37484 | 5.3 MEDIUM | Information Disclosure Vulnerabilities in SAP PowerDesigner |
| CVE-2023-37492 | 4.9 MEDIUM | Missing Authorization check in SAP NetWeaver AS ABAP and ABAP Platform |
| CVE-2023-39440 | 4.4 MEDIUM | Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform |
| CVE-2023-36926 | 3.7 LOW | Information disclosure vulnerability in SAP Host Agent |
IV. Related Vulnerabilities
Same product: SAP Commerce
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-258
- CVE-2025-9276
Cockroach Labs cockroach-k8s-request-cert Empty Root Passwor - CVE-2025-4395
Medtronic MyCareLink Patient Monitor Empty Password Vulnerab - CVE-2024-35137
IBM Security Access Manager Docker information disclosure - CVE-2024-4106
Yokogawa FAST/TOOLS 安全漏洞 - CVE-2023-43016
IBM Security Access Manager Container unauthorized access
V. Comments for CVE-2023-39439
No comments yet