CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24874: Missing Defense in Depth Against Clickjacking in SAP Commerce Backoffice

6.8 CVSS

Description

SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information.

Classification

CVE ID: CVE-2025-24874

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected Products

Vendor: SAP_SE

Product: SAP Commerce (Backoffice)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.94% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://me.sap.com/notes/3559510
https://url.sap/sapsecuritypatchday

Timeline

2025-02-12 00:31:39 UTC
CVE

Missing Defense in Depth Against Clickjacking in SAP Commerce Backoffice