CVE-2019-0308

Опубликовано: 12 июн. 2019

Источник: nvd

CVSS3: 6.8

CVSS2: 3.5

EPSS Низкий

Описание

An authenticated attacker in SAP E-Commerce (Business-to-Consumer application), versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even on a different machine, leading to Code Injection.

Ссылки

https://launchpad.support.sap.com/#/notes/2773493
Permissions Required
Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
Vendor Advisory
https://launchpad.support.sap.com/#/notes/2773493
Permissions Required
Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=521864242
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:sap:e-commerce:7.30:*:*:*:*:*:*:*

cpe:2.3:a:sap:e-commerce:7.31:*:*:*:*:*:*:*

cpe:2.3:a:sap:e-commerce:7.32:*:*:*:*:*:*:*

cpe:2.3:a:sap:e-commerce:7.33:*:*:*:*:*:*:*

cpe:2.3:a:sap:e-commerce:7.54:*:*:*:*:*:*:*

EPSS

Процентиль: 45%

0.00221

Низкий

6.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-mh58-mm5c-49p8

github

больше 3 лет назад