Session fixation

2020-09-0913:15:00

PRIOn knowledge base

www.prio-n.com

8 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.5%

JSON

SAP Commerce versions 6.7, 1808, 1811, 1905, 2005 contains the jSession ID in the backoffice URL when the application is loaded initially. An attacker can get this session ID via shoulder surfing or man in the middle attack and subsequently get access to admin user accounts, leading to Session Fixation and complete compromise of the confidentiality, integrity and availability of the application.

CPENameOperatorVersion
commerceeq6.7
commerceeq1808
commerceeq1811
commerceeq1905
commerceeq2005

Name	Operator	Version
commerce	eq	6.7
commerce	eq	1808
commerce	eq	1811
commerce	eq	1905
commerce	eq	2005

References

launchpad.support.sap.com/

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700