CVE-2020-6272

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 62.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Commerce CloudSAP Commerce Cloud
Timeline
PublishedOct 15
Latest updateMay 24

Description

SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5sap_se/sap_commerce_cloud< 1808+3
NVDsap/commerce_cloud4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-q5ph-qv4m-hcxv: SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content m2022-05-24
CVEList
CVE-2020-6272: SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content m2020-10-15
CVE-2020-6272 (MEDIUM CVSS 5.4) | SAP Commerce Cloud versions - 1808 | cvebase.io