Tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, the critical issue could be abused for remote code execution, SAP explains in its advisory. The vulnerability impacts SAP Commerce if the rule engine extension is installed.

Meant to define and execute rules to manage decision-making scenarios, the rule engine uses a ruleContent attribute offering scripting facilities. While making modifications to ruleContent should normally be allowed for highly privileged users only, a misconfiguration shipped with SAP Commerce resulted in lower-privileged users and user groups being allowed to change ruleContents.