CVE-2020-6363 Information

Description

SAP Commerce Cloud versions - 1808 1811 1905 2005 exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications which gives an attacker the opportunity to reuse old session credentials resulting in Insufficient Session Expiration.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Reference

https://launchpad.support.sap.com//notes/2965287 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.6