Reflected Cross Site Scripting Vulnerability in SAP Commerce by SAP
CVE-2020-6201

6.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Commerce Cloud (testweb Extension)
Vendor: CVE Published:; 10 March 2020

Summary

SAP Commerce, specifically in the Testweb Extension across multiple versions, lacks adequate encoding of user-controlled inputs. This vulnerability allows certain GET URL parameters to be reflected in HTTP responses without proper escaping or sanitization, which can lead to reflected cross site scripting attacks. Malicious users could exploit this weakness to inject arbitrary scripts into pages viewed by other users, potentially compromising sensitive information and overall web application security.

Affected Version(s)

SAP Commerce Cloud (Testweb Extension) < 6.6 < 6.6

SAP Commerce Cloud (Testweb Extension) < 6.7 < 6.7

SAP Commerce Cloud (Testweb Extension) < 1808 < 1808

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2876813

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 10, 2020
Vulnerability Reserved
Jan 8, 2020