CVE-2020-6302
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
09/09/2020
Last modified:
10/09/2020
Description
SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:sap:commerce:6.7:*:*:*:*:*:*:* | ||
cpe:2.3:a:sap:commerce:1808:*:*:*:*:*:*:* | ||
cpe:2.3:a:sap:commerce:1811:*:*:*:*:*:*:* | ||
cpe:2.3:a:sap:commerce:1905:*:*:*:*:*:*:* | ||
cpe:2.3:a:sap:commerce:2005:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page