CVE-2020-6272 Information

Description

SAP Commerce Cloud versions - 1808 1811 1905 2005 does not sufficiently encode user inputs which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered if an affected web page is visited resulting in Cross-Site Scripting (XSS) vulnerability.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://launchpad.support.sap.com//notes/2917381 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4