Main Vulnerability Database Vulnerabilities #VU46639

Session Fixation in SAP Commerce - CVE-2020-6302

Published: September 11, 2020

Vulnerability identifier: #VU46639

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-6302

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SAP Commerce

Software vendor:
SAP

Description

The vulnerability allows a remote attacker to compromise another user session.

The vulnerability exists due to improper session management mechanism. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.

Remediation

Install updates from vendor's website.

External links

https://launchpad.support.sap.com/#/notes/2934451
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700

Session Fixation in SAP Commerce - CVE-2020-6302

Description

Remediation

External links

Please verify you're human