Configured Commerce: COM-2026-02 - Unverified Email Address Change

  • Updated

Brief Description:

A medium-severity issue concerning unverified email address change was identified in the Commerce B2B application which a malicious user with access to an admin console account to change the email address to something they control without verification of email change request.

 

Affected Versions:

All versions before 5.2.2605.

 

Solutions and Mitigations:

The application has been updated to require email verification on address change request prior to changing the account email in the system.

 

For Users that Cannot Upgrade:

If you are unable to upgrade, the following mitigations are suggested:

  • Exploitation requires knowledge of the account credentials – ensure credentials are secured and not available publicly.

 

CVSS and Severity:

CVSS 6.4, Medium

 

CVE/CWE ID:

CWE-283