CVE-2020-6363

Name of the Vulnerable Software and Affected Versions SAP Commerce Cloud versions 1808, 1811, 1905, 2005

Description The issue allows an attacker to reuse old session credentials due to insufficient session expiration. This occurs because changing a user's passphrase does not invalidate active sessions with SAP Commerce Cloud web applications. The sessions are established after a user authenticates with username and passphrase credentials.

Recommendations For SAP Commerce Cloud versions 1808, 1811, 1905, 2005, consider implementing a mechanism to invalidate all active sessions when a user changes their passphrase as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.