CVE-2019-0308

Summary

An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP E-Commerce (Business-to-Consumer application)< 7.3affected
SAP SESAP E-Commerce (Business-to-Consumer application)< 7.31affected
SAP SESAP E-Commerce (Business-to-Consumer application)< 7.32affected
SAP SESAP E-Commerce (Business-to-Consumer application)< 7.33affected
SAP SESAP E-Commerce (Business-to-Consumer application)< 7.54affected

Weaknesses

  • Code Injection

ADP Enrichment

CVE Program Container

Additional References

References