HCL Commerce, when using Elasticsearch, could be affected by a denial of service vulnerability

HCL Commerce websites using Elasticsearch can be taken offline by attackers, who may also gain ability to make administrative changes. This is a serious flaw that affects site availability and security.

A remote attacker can trigger a denial of service condition in HCL Commerce deployments configured with Elasticsearch backend, potentially combined with unauthorized administrative access. The vulnerability requires network access to the affected service; exploitation results in service unavailability and potential privilege escalation through administrative function compromise.