What is CVE-2025-24875?

CVE-2025-24875 is a medium-severity vulnerability in Sap_se Sap Commerce, classified under Cross-Site Request Forgery (CSRF). CVSS score: 6.8/10. Published 2025-02-11.

How severe is CVE-2025-24875?

Medium severity. CVSS v3 base score is 6.8 out of 10.

CSRF in Sap_se Sap Commerce

CVE-2025-24875

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against…

Vulnerability class: CSRF (Cross-Site Request Forgery)

EPSS: 0.001 (23.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N.

Affected products

Sap_se Sap Commerce — versions HY_COM 2205, COM_CLOUD 2211

Weakness classification (CWE)

CWE-352 — Cross-Site Request Forgery (CSRF)

References

me.sap.com/notes/3555364
url.sap/sapsecuritypatchday

Frequently asked questions

What is CVE-2025-24875?: CVE-2025-24875 is a medium-severity vulnerability in Sap_se Sap Commerce, classified under Cross-Site Request Forgery (CSRF). CVSS score: 6.8/10. Published 2025-02-11.
How severe is CVE-2025-24875?: Medium severity. CVSS v3 base score is 6.8 out of 10.