CVE-2020-6302Session Fixation in SE SAP Commerce

CWE-384Session Fixation3 documents3 sources
Severity
8.1HIGHNVD
EPSS
0.4%
top 39.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP CommerceSAP Commerce
Timeline
PublishedSep 9
Latest updateMay 24

Description

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_commerce< 6.7+4
NVDsap/commerce5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-m697-r4gm-82f3: SAP Commerce versions 62022-05-24
CVEList
CVE-2020-6302: SAP Commerce versions 62020-09-09
CVE-2020-6302 — Session Fixation in SAP SE SAP Commerce | cvebase