Lucene search

SapCVELIST:CVE-2020-6272

HistoryOct 15, 2020 - 1:46 a.m.

CVE-2020-6272

2020-10-1501:46:38

sap

www.cve.org

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.7%

JSON

SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.

CNA Affected

[
  {
    "product": "SAP Commerce Cloud",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< 1808"
      },
      {
        "status": "affected",
        "version": "< 1811"
      },
      {
        "status": "affected",
        "version": "< 1905"
      },
      {
        "status": "affected",
        "version": "< 2005"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2917381

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196