CVE-2025-27434

CVE-2025-27434 is a cross-site scripting (XSS) vulnerability in SAP Commerce, specifically affecting the Swagger UI component due to insufficient input validation. This flaw allows an unauthenticated attacker to inject malicious code from remote sources, potentially compromising the confidentiality, integrity, and availability of data within SAP Commerce. The vulnerability is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-79 (Cross-site Scripting). It was published on 2025-03-11.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity, though it requires user interaction (UI:R). By tricking a user into interacting with a maliciously crafted input via the Swagger UI, the attacker can execute arbitrary JavaScript in the victim's browser context, leading to high-impact effects such as data theft, modification, or denial of service within the affected SAP Commerce instance.

SAP has addressed this issue through security advisories and patches, detailed in SAP Note 3569602 (https://me.sap.com/notes/3569602) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday), which provide guidance on applying fixes to mitigate the XSS risk.