CVE-2020-6302

Name of the Vulnerable Software and Affected Versions SAP Commerce versions 6.7, 1808, 1811, 1905, 2005

Description The issue allows an attacker to obtain the jSession ID via methods such as shoulder surfing or man-in-the-middle attacks when the application is initially loaded. This jSession ID is contained in the backoffice URL. Once obtained, the attacker can use this ID to gain access to admin user accounts, leading to session fixation. This compromises the confidentiality, integrity, and availability of the application.

Recommendations For SAP Commerce versions 6.7, 1808, 1811, 1905, 2005, consider implementing a secure method to handle session IDs, such as regenerating the session ID after a successful login or using a secure token-based system to prevent session fixation attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.