Insufficient Session Expiration in SAP Commerce Cloud
CVE-2020-6363

4.6MEDIUM

Key Information:

Vendor: SAP
Status: SAP Commerce Cloud
Vendor: CVE Published:; 15 October 2020

Summary

SAP Commerce Cloud versions 1808, 1811, 1905, and 2005 have a vulnerability that occurs when a user changes their passphrase; the system does not invalidate existing sessions. This behavior allows an attacker to exploit the old session credentials, posing significant security risks as it compromises session integrity. Users should be aware of the potential for unauthorized access to their accounts due to this insufficient session expiration vulnerability.

Affected Version(s)

SAP Commerce Cloud < 1808 < 1808

SAP Commerce Cloud < 1811 < 1811

SAP Commerce Cloud < 1905 < 1905

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2965287

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 15, 2020
Vulnerability Reserved
Jan 8, 2020