CVE-2019-0341

CWE-732 — Incorrect Permission Assignment3 documents3 sources

Severity

8.8HIGH

EPSS

0.2%

top 55.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Enable NOW SAP Enable NOW

Timeline

PublishedAug 14

Latest updateMay 24

Description

The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set. If an attacker runs script code in the context of the application, he could get access to the session cookie. The session cookie could then be abused to gain access to the application.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5sap_se/sap_enable_now< 1902

▶NVDsap/enable_now1902

🔴Vulnerability Details

GHSA

GHSA-3cjx-w9jj-45qv: The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set↗2022-05-24

▶

CVEList

CVE-2019-0341: The session cookie used by SAP Enable Now, version 1902, does not have the HttpOnly flag set↗2019-08-14

▶