CVE-2020-6272
5.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
SAP Commerce Cloud versions - 1808, 1811, 1905, 2005, does not sufficiently encode user inputs, which allows an authenticated and authorized content manager to inject malicious script into several web CMS components. These can be saved and later triggered, if an affected web page is visited, resulting in Cross-Site Scripting (XSS) vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP SE | SAP Commerce Cloud | < 1808 | affected |
| SAP SE | SAP Commerce Cloud | < 1811 | affected |
| SAP SE | SAP Commerce Cloud | < 1905 | affected |
| SAP SE | SAP Commerce Cloud | < 2005 | affected |
Weaknesses
- Cross Site Scripting
ADP Enrichment
CVE Program Container
Additional References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- https://launchpad.support.sap.com/#/notes/2917381
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- https://launchpad.support.sap.com/#/notes/2917381
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.