CVE-2020-6201 — Cross-site Scripting in SE SAP Commerce Cloud

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 41.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Commerce Cloud SAP Commerce Cloud

Timeline

PublishedMar 10

Latest updateMay 24

Description

The SAP Commerce (Testweb Extension), versions- 6.6, 6.7, 1808, 1811, 1905, does not sufficiently encode user-controlled inputs, due to which certain GET URL parameters are reflected in the HTTP responses without escaping/sanitization, leading to Reflected Cross Site Scripting.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5sap_se/sap_commerce_cloud< 6.6+4

▶NVDsap/commerce_cloud5 versions+4

🔴Vulnerability Details

GHSA

GHSA-9659-6f28-gj3x: The SAP Commerce (Testweb Extension), versions- 6↗2022-05-24

▶

CVEList

CVE-2020-6201: The SAP Commerce (Testweb Extension), versions- 6↗2020-03-10

▶