CVE-2020-6363

CWE-613Insufficient Session Expiration3 documents3 sources
Severity
4.6MEDIUM
EPSS
0.2%
top 56.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP Commerce CloudSAP Commerce Cloud
Timeline
PublishedOct 15
Latest updateMay 24

Description

SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages2 packages

CVEListV5sap_se/sap_commerce_cloud< 1808+3
NVDsap/commerce_cloud4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-495p-5rpx-57mw: SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user2022-05-24
CVEList
CVE-2020-6363: SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user2020-10-15
CVE-2020-6363 (MEDIUM CVSS 4.6) | SAP Commerce Cloud | cvebase.io