CVE-2020-6363
MEDIUMSAP Commerce Cloud - Insufficient Session Expiration
Title source: llmDescription
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
Permissions Required x_refsource_misc
https://launchpad.support.sap.com/#/notes/2965287
Scores
CVSS v3
4.6
EPSS
0.0021
EPSS Percentile
43.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-613
Status
published
Products (4)
sap/commerce_cloud
1808
sap/commerce_cloud
1811
sap/commerce_cloud
1905
sap/commerce_cloud
2005
Published
Oct 15, 2020
Tracked Since
Feb 18, 2026